[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT

Michael Smith msmith at cbnco.com
Mon Nov 15 08:49:46 EST 2010

Paul Wouters wrote:

> However, when specifying this on the Cisco, it sends out non-port80 traffic
> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
> dropped at the nexthop for having an invalid source ip.

> access-list inside_nat0_outbound extended permit ip any 
> access-list outside_cryptomap extended permit tcp any object-group DM_INLINE_TCP_3
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound

This line puts all traffic from into NAT pool 0 (NAT 

You probably want to adjust your ACL inside_nat0_outbound to add "any 
object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).

> nat (inside) 1

This line means all other traffic will be NATted, so as long as your 
inside_nat0_outbound doesn't exclude it, you'll be OK.


More information about the Users mailing list