cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1021
Views
15
Helpful
20
Replies

How to set a NAT on ipsec tunnel?

Imed
Level 1
Level 1

i setup an ipsec between a ciso router and a fortigate firewall.Tunnel is up in both device while the two LAN subnets are unable to ping each other.

i saw lot of articles and tuto and sounds confused about the necessity of NAT on cisco side!!!!!!

please let me know how far is the NAT important on IPSEC tunnel? 

Here is the cisco config summary

------------------------------------------------------------------

 

Router(config)#do sh run
Building configuration...

Current configuration : 1437 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
ip dhcp excluded-address 10.10.20.2 10.10.20.20
!
ip dhcp pool my_lan
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key eve123 address 192.168.174.31
!
!
crypto ipsec transform-set fortigate esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile phase2
set transform-set fortigate
set pfs group2
!
!
!
!
!
!
interface Tunnel10
ip unnumbered FastEthernet0/0
tunnel source 192.168.174.30
tunnel mode ipsec ipv4
tunnel destination 192.168.174.31
tunnel protection ipsec profile phase2
!
interface FastEthernet0/0
ip address 192.168.174.30 255.255.255.0
ip nat outside
duplex full
!
interface FastEthernet1/0
ip address 10.10.20.1 255.255.255.0
ip nat inside
duplex full
!
ip nat inside source list 99 interface FastEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.174.2
ip route 10.10.10.0 255.255.255.0 Tunnel10
!
access-list 99 permit 10.10.20.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

-----------------------------------------------------------------------------

 

20 Replies 20

from the ping command 

I am checking Tutos and it sounds thats problem of clocking or other config mismatch on Tunnel int, 

line protocole on int tunnel goes up and down 

Hello,

I am not sure the 'ip unnumbered' works with the NAT outside interface. Try and assign a different IP address to both tunnel interfaces, such as this one:

interface Tunnel10
ip address 172.16.1.1 255.255.255.0 (--> 172.16.1.2 on the Forigate)
tunnel source 192.168.174.30
tunnel mode ipsec ipv4
tunnel destination 192.168.174.31
tunnel protection ipsec profile phase2

Imed
Level 1
Level 1

hello, 

that didn't work  

Imed
Level 1
Level 1

As you see guys on the capture there s no prob with the fortigate. i do not see any traffic comming from cisco.

Hello,

I just tested your setup in a lab. What if you change the IPSec profile to:

crypto ipsec profile phase2
set transform-set fortigate
--> set pfs group5

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: