[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT

Michael Smith msmith at cbnco.com
Mon Nov 15 08:49:46 EST 2010


Paul Wouters wrote:

> However, when specifying this on the Cisco, it sends out non-port80 traffic
> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
> dropped at the nexthop for having an invalid source ip.

> access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 any 
> access-list outside_cryptomap extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
> 
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound

This line puts all traffic from 192.168.77.0/24 into NAT pool 0 (NAT 
exemptions).

You probably want to adjust your ACL inside_nat0_outbound to add "any 
object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).

> nat (inside) 1 0.0.0.0 0.0.0.0

This line means all other traffic will be NATted, so as long as your 
inside_nat0_outbound doesn't exclude it, you'll be OK.

Mike


More information about the Users mailing list