cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
0
Helpful
4
Replies

IPSEC and NAT

stevent
Level 1
Level 1

I am doing a site to site vpn using two 1720's. I will be configuring NAT (static and overload) on both routers. The question is 1. When defining the traffic that gets encrypted by ipsec should i specify the private ip range or should i specify the public ip range?

2. I will be doing a static one-to-one nat for the mail, dns, ftp, http servers on the network. Do i still have to define in the access-list a rule to allow mail traffice through? if an access list is still required should it be e.g "access-list 101 permit tcp any 192.168.1.5 eq 25" which gets applied to the Serial interface or is it "access-lists 101 permit tcp any public ip eq 25" (the term public ip refers to any public ip)

Any help would be appreciated hope the above is clear.

4 Replies 4

almazana
Level 1
Level 1

I would specify the public address space, this is the out side of your network, and that particular interface represents your outside connectivity.

Much like BSD and ipfilter, you should define access-list for your interfaces considering both in and out traffic. For greater granulatiry, you should designate the servers entire address with wildcard masks. This way you filter the right tcp traffic to just the server that it is intended for.

s.diyorio
Level 1
Level 1

If I understand your setup correctly the answers will be:

1. Define an access list devoted only to the IPSEC configuration. Specify the source of your private network allowed to the destination of the other side's private network.

2. Your access list to allow public traffic should be allowed to the static public address you specify in your NAT statement and should be applied to the outside interface.

Perfect, s.diyorio nailed it down for you.

optp
Level 1
Level 1

Hello, Stevent.

I have been doing some trying with IPSEC.

Concerning your first question, you can specify public IP addresses or private IP addresses. It depends on your network design. You have the option to specify internal or public IP addresses. It is up to you.

The most important thing to say is : both sides must be configured with public IP addresses. After these public interfaces, you can route to invalid addresses.

About your second question, remember that you must define everything that will pass. Everything you do not include in the access-list will be prevented to go through the tunnel.

I hope to help.