Just translate udp 500 and 4500. The phase1 will detect the VPN server behind NAT and wont use plain ESP for phase 2, it will encapsulated it in udp 4500. Make sure udp500/4500 are open on the edge router.
Regards Adrian. Date: Fri, 23 Nov 2012 01:55:46 +1100 From: [email protected] To: [email protected]; [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Configuring NAT for IKE and ESP traffic Thanks for the input guys. I am running this up in GNS at the moment and will let you know what results I get. On Fri, Nov 23, 2012 at 1:43 AM, Jay McMickle <[email protected]> wrote: Interesting scenario- let me see of I can dig up something. Regards, Jay McMickle- CCIE #35355 (RS) Sent from my iPhone 5 On Nov 22, 2012, at 1:42 AM, Ben Shaw <[email protected]> wrote: > Hi All > > can anyone provide input on this challenge? > > I have a small client with a single Internet connection and just the one > public IP. I use static PAT on the edge router to translate inbound > connections to different servers based on port (25, 443, 80 etc). > > I would like to place a router on the inside of this edge router to terminate > VPN tunnels. I do not wish to terminate VPN tunnels on this edge router. > Having still only one public IP I can obviously translate UDP 500 to the > outside interface of this VPN router but what about the ESP traffic? I don't > believe I will be able to use PAT to translate the ESP packets to the same > outside interface of the VPN router. For that I presume it would have to be a > static NAT translation at layer 3. > > So considering all current translations are in the form of static PAT on the > router, if I add to this a static PAT for UDP 500 and a static NAT for the > WAN interface of the edge router to the outside interface of the VPN router > should this work? The resultant configuration will be along the following > lines > > WAN IP:TCP25 -> Internal_Mail_Server:25 > WAN IP:TCP443 -> Internal _Web_Server1:443 > WAN IP:TCP80 -> Internal_Web_Server2:80 > WAN IP:UDP500 -> VPN_Router:500 (new) > WAN IP -> VPN_Router (new) > > There is currently no static NAT configured on the edge router, only static > PAT. > > Thanks > Ben > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
