1. Home
  2. Cisco Systems
  3. NAT traversal with 837 between 2 ethernets.

NAT traversal with 837 between 2 ethernets.

I would IPsec traffic pass a 837. Below its configuration. It runs 12.3(14)T The traffic must pass through the 2 Ethernet interfaces. PIX is connected to Eth2. Eth0 is connected directly to Internet.

Current configuration : 2435 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! memory-size iomem 5 enable secret 5 ***************** ! no aaa new-model ! resource policy ! ip subnet-zero ! ! no ip dhcp use vrf connected ! ! ip cef ip name-server **************** no ip ips deny-action ips-interface ! no ftp-server write-enable ! ! username ***************** password 7 ************* ! ! ! ! ! interface Ethernet0 ip address ************ 255.255.255.224 ip nat outside ip virtual-reassembly hold-queue 100 out ! interface Ethernet2 ip address 192.168.30.254 255.255.255.0 ip nat inside ip virtual-reassembly hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 ************* ip route 192.168.131.0 255.255.255.0 192.168.130.253 ! no ip http server no ip http secure-server ! ip nat pool NATpool ************* ********* netmask 255.255.255.224 ip nat inside source list 103 pool NATpool overload ip nat inside source static 192.168.130.253 **************++++ ! ! ip access-list extended vty-access permit tcp ************ 0.0.0.31 any eq 22 permit tcp 192.168.130.0 0.0.0.255 any eq 22 permit tcp 192.168.130.0 0.0.0.255 any eq telnet permit tcp 192.168.131.0 0.0.0.255 any eq 22 permit tcp 192.168.131.0 0.0.0.255 any eq telnet deny ip any any access-list 10 permit 192.168.131.0 0.0.0.255 access-list 101 deny ip host 192.168.131.157 host ************* access-list 102 deny tcp any host *********** access-list 103 permit ip 192.168.131.0 0.0.0.255 any access-list 104 deny tcp host 192.168.131.157 host ***************** eq 22 access-list 104 deny tcp host ************ host ***************** eq 22 access-list 105 deny tcp host ************ host ***************** eq 22 ! ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 access-class vty-access in exec-timeout 120 0 password 7 ***************** login local transport input telnet ssh transport output telnet ssh ! scheduler max-task-time 5000 end

The phase I doesn't complete.... NAT works well from private side to public side. I can not try static nat with another device rather than a PIX (that terminates the VPN)

Alex.

Reply to
AM
Loading thread data ...

I've been using the same IP address for static NAT and dynamic NAT as well.

Alex.

Reply to
AM

interface Ethernet2 is configured as follows ip address 192.168.130.254 255.255.255.0 ip nat inside ip virtual-reassembly hold-queue 100 out

These are PIX logs

Apr 12 20:05:45 fw-ts-itbs-area.italtbs.com %PIX-7-710005: UDP request discarded from /500 to tunnel_2:192.168.130.253/isakmp Apr 12 20:06:25 fw-ts-itbs-area.italtbs.com %PIX-7-710005: UDP request discarded from /500 to tunnel_2:192.168.130.253/isakmp Apr 12 20:07:05 fw-ts-itbs-area.italtbs.com %PIX-7-710005: UDP request discarded from /500 to tunnel_2:192.168.130.253/isakmp

So IPsec packets arrive to the PIX but are discarded... in the meanwhile I realized that I must enable ike on tunnel_2 interface. But it still doesn't work. I'm using OpenSwan on the other side and I tested the VPN (without NAT) and all things went OK.

This is a message from PIX Apr 12 20:45:46 fw-ts-itbs-area.italtbs.com %PIX-7-702303: sa_request, (key eng. msg.) src= 192.168.130.253, dest= , src_proxy= 192.168.131.0/255.255.255.0/0/0 (type=4), dest_proxy=

192.168.132.104/255.255.255.248/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 1200s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4005

And this is the message from Linux box.

Apr 12 23:05:10 testvpn kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [1]. Why does it tell "suspected ESPinUDP packet (NAT-Traversal)". I've enabled NAT-Traversal on both sides.

I will ask also Openswan's users.

Alex.

Reply to
AM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.