[c-nsp] IPSEC behind NAT device problem
Mihai Tanasescu
mihai at duras.ro
Thu Oct 18 16:14:12 EDT 2007
J. Oquendo wrote:
> Church, Charles wrote:
>
>> Are you using AH? That doesn't work with NAT, at least it didn't last
>> time I did a lot of VPN stuff.
>>
>> Chuck
>>
>>
>
> nonrandomseq is your friend
>
>
Hello,
Can you help a bit here with some details regarding my schematic ?
I have been digging for a while on Cisco's website and only found
examples of using static (inside,outside) with the norandomseq
parameter, but that was for the case Router 1 --- PIX NAT --- Router 2
(to make a NAT exception for Router 1 to Router 2 traffic.
They also showed this example (for BGP not IPSEC):
!--- No NAT translation, to allow Router11 on the inside to initiate a
BGP session
!--- to Router12 on the outside of PIX.
! for the case Router 11 - eBGP multihop --- PIX --- eBGP endpoint --
Router 12
static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255
In my case the IPSEC tunnel is initiated by the PIX to the public IP
address of the Linux machine that statically destination NATs all ESP
and UDP port 500 traffic to the C3660 router (ipsec end point).
I can't figure this one out unfortunately...can you lend me a hand please ?
More information about the cisco-nsp
mailing list