[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT
Paul Wouters
paul at xelerance.com
Mon Nov 15 23:11:06 EST 2010
On Mon, 15 Nov 2010, Paul Wouters wrote:
With many thanks to Michael Smith this issue has been resolved!
For those interesting in the solution (now and later):
object-group service http tcp
description http
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object http
object-group service DM_INLINE_TCP_2 tcp
group-object http
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
group-object http
port-object eq https
object-group network internal
network-object 192.168.77.0 255.255.255.0
object-group service tcp_81_442 tcp
port-object range 81 442
access-list outside_cryptomap extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
access-list everything_but_web3 extended permit udp object-group internal any
access-list everything_but_web3 extended permit icmp object-group internal any
access-list everything_but_web3 extended permit tcp object-group internal any lt www
access-list everything_but_web3 extended permit tcp object-group internal any object-group tcp_81_442
access-list everything_but_web3 extended permit tcp object-group internal any gt https
global (outside) 1 interface
nat (inside) 1 access-list everything_but_web3
There is no nat (inside) 0 ... statement.
I'll put the full config in the openswan wiki.
Paul
More information about the Users
mailing list