[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT
Paul Wouters
paul at xelerance.com
Mon Nov 15 16:21:24 EST 2010
On Mon, 15 Nov 2010, Michael Smith wrote:
>> However, when specifying this on the Cisco, it sends out non-port80 traffic
>> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
>> dropped at the nexthop for having an invalid source ip.
>
>> access-list inside_nat0_outbound extended permit ip 192.168.77.0
>> 255.255.255.0 any access-list outside_cryptomap extended permit tcp
>> 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
>>
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_nat0_outbound
>
> This line puts all traffic from 192.168.77.0/24 into NAT pool 0 (NAT
> exemptions).
>
> You probably want to adjust your ACL inside_nat0_outbound to add "any
> object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).
>
>> nat (inside) 1 0.0.0.0 0.0.0.0
>
> This line means all other traffic will be NATted, so as long as your
> inside_nat0_outbound doesn't exclude it, you'll be OK.
I have tried, but any ACL's that lists a "service" (port) is rejected on the nat (inside)
command. I'm still trying to find a configuration that works :(
Paul
More information about the Users
mailing list