12-18-2006 12:12 PM - edited 03-03-2019 03:05 PM
I will admit I am very confused given lack of concrete information available regarding IPSec and NAT.
Is it possible to configure an IPSec VPN behind a NAT router (Cisco 1700)?
I'm currently running an ISA 2006 VPN server and I have no issues connecting to it within the infrastructure (IPSec using pre-shared keys). However I can't reach the server from the outside.
I'm currently using this commands to forward and open up port UDP 500.
ip nat inside source static 192.168.111.33 209.x.x.100
access-list 111 permit udp any host 209.x.x.100 eq isakmp
Is this configuration even possible through a Cisco 1700? Or must I use PPTP (port 1723)? FYI, the router supports its own VPN but I was wanting to use ISA as it gives me more control in my particular org.
Thanks,
J
12-18-2006 02:01 PM
12-26-2006 01:17 PM
I am fighting the same problem, but I believe this might help some. Here is an example.
You have a nat rule for local IP to "any" - or general Internet
You have a different nat rule for local IP to the remote LAN through the VPN tunnel. This is simply defined with an access-list and nat rule.
You many even have a different nat rule that will nat you to another IP, but only if going through VPN1...
Example.
Your IP address = 192.168.222.222
Remote LAN over S-2-S VPN1 = 192.168.199.0/24
External IP natted to for VPN1 = 12.34.56.7
Remote LAN over S-2-S VPN2 = 172.16.16.0/24
You would have a series of access-lists:
access-list 104 permit ip host 12.34.56.7 192.168.199.0 0.0.0.255
access-list 105 permit ip host 192.168.222.222 192.168.199.0
access-list 106 deny ip host 192.168.222.222 172.16.16.0 0.0.0.255
access-list 106 permit ip host 192.168.222.222 any
access-list 107 permit ip host 192.168.222.222 192.168.199.0 0.0.0.255
ip nat inside source route-map nat_rulz1 interface Serial0/0/0 overload
ip nat inside source route-map nat_rulz2 12.34.56.7
route-map nat_rulz1 permit 10
match ip address 105
route-map nat_rulz2 permit 10
match ip address 106
IPSEC policy for VPN#1 matches access-list 104, after the nat process identifies the interesting traffic and nat's it to the public IP (using acl 105, applied by route-map to nat_rulz2)
IPSEC policy for S-2-S VPN#2 matches access-list 107 to define traffic to be encrypted, which uses the 'real' private IP without NAT
Acl 106 exempts (deny) matching traffic from the "normal" nat process, but only if going to the other LAN past the VPN tunnel.
You can see that it is not exactly simple, but certainly can be done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide