[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT

Paul Wouters paul at xelerance.com
Mon Nov 15 16:21:24 EST 2010

On Mon, 15 Nov 2010, Michael Smith wrote:

>> However, when specifying this on the Cisco, it sends out non-port80 traffic
>> without NAT. Eg the traffic is not going through IPsec nor NAT, and then
>> dropped at the nexthop for having an invalid source ip.
>> access-list inside_nat0_outbound extended permit ip 
>> any access-list outside_cryptomap extended permit tcp 
>> any object-group DM_INLINE_TCP_3
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_nat0_outbound
> This line puts all traffic from into NAT pool 0 (NAT 
> exemptions).
> You probably want to adjust your ACL inside_nat0_outbound to add "any 
> object-group DM_INLINE_TCP_3" (i.e. make it the same as outside_cryptomap).
>> nat (inside) 1
> This line means all other traffic will be NATted, so as long as your 
> inside_nat0_outbound doesn't exclude it, you'll be OK.

I have tried, but any ACL's that lists a "service" (port) is rejected on the nat (inside)
command. I'm still trying to find a configuration that works :(


More information about the Users mailing list