[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT
Michael Smith
msmith at cbnco.com
Mon Nov 15 08:49:46 EST 2010
Paul Wouters wrote:
> However, when specifying this on the Cisco, it sends out non-port80 traffic
> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
> dropped at the nexthop for having an invalid source ip.
> access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 any
> access-list outside_cryptomap extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
This line puts all traffic from 192.168.77.0/24 into NAT pool 0 (NAT
exemptions).
You probably want to adjust your ACL inside_nat0_outbound to add "any
object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).
> nat (inside) 1 0.0.0.0 0.0.0.0
This line means all other traffic will be NATted, so as long as your
inside_nat0_outbound doesn't exclude it, you'll be OK.
Mike
More information about the Users
mailing list