[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT

Paul Wouters paul at xelerance.com
Mon Nov 15 16:21:24 EST 2010


On Mon, 15 Nov 2010, Michael Smith wrote:

>> However, when specifying this on the Cisco, it sends out non-port80 traffic
>> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
>> dropped at the nexthop for having an invalid source ip.
>
>> access-list inside_nat0_outbound extended permit ip 192.168.77.0 
>> 255.255.255.0 any access-list outside_cryptomap extended permit tcp 
>> 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
>> 
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_nat0_outbound
>
> This line puts all traffic from 192.168.77.0/24 into NAT pool 0 (NAT 
> exemptions).
>
> You probably want to adjust your ACL inside_nat0_outbound to add "any 
> object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).
>
>> nat (inside) 1 0.0.0.0 0.0.0.0
>
> This line means all other traffic will be NATted, so as long as your 
> inside_nat0_outbound doesn't exclude it, you'll be OK.

I have tried, but any ACL's that lists a "service" (port) is rejected on the nat (inside)
command. I'm still trying to find a configuration that works :(

Paul


More information about the Users mailing list