Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2735
Views
0
Helpful
2
Replies

NAT traffic over a IPSec tunnel (ISR)

Go to solution
Johan Christensson
Level 1
Level 1

‎03-07-2014 08:58 AM - edited ‎02-21-2020 07:33 PM

Hi.

I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.

So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:

IPSec tunnel is created using the 10.10.1.1 IP-address.

The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.

Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.

Anyone who could shed some light? Any insight appreciated.

                 

Sheers!

/Johan Christensson

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎03-07-2014 09:55 PM

Yes, this is possible.  This should get you what you need.  Let us know if it works or not.

ip access-list extended policy-NAT

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

ip nat pool LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0

ip nat inside source list policy-NAT pool LAN-Checkpoint overload

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jj27
Spotlight
Spotlight

‎03-07-2014 09:55 PM

Yes, this is possible.  This should get you what you need.  Let us know if it works or not.

ip access-list extended policy-NAT

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

ip nat pool LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0

ip nat inside source list policy-NAT pool LAN-Checkpoint overload

0 Helpful

Go to solution
Johan Christensson
Level 1
Level 1
In response to jj27

‎03-08-2014 05:14 PM

Thanks jjohnston1127!

Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.

How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10

If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.

Is this because that the NAT'ing dosen't get processed before the IPSec configuration?

Can this behavior be changed?

Best regards,
Johan Christensson

0 Helpful
Customers Also Viewed These Support Documents