To answer your original question: yes, I have configured this in the past and
it works. Since you do not control the CP (I assume), can you ask the remote
party to send you traffic. You will gather much more useful information on
the receiving end of the tunnel. If you run �debug cry isa 2� on your
firewall, do you see any debug output?
The ESP and IKE traffic should be your only requirements to establish the
tunnel. If you�re having trouble passing traffic after phase2, then you might
need to take a look at a few other things.
-ryan
________________________________
From: `yc `lepi [mailto:eshedalonie_at_gmail.com]
Sent: Thursday, June 04, 2009 3:27 AM
To: Ryan West
Cc: Cisco certification
Subject: Re: PAT IPSec-FW Issue
My mistake of the Topology
FW(192.168.1.1)----->(192.168.1.2)Router(80.1.1.1)
2009/6/3 Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
Hello,
I'm not sure if I follow your scenario, are you trying to establish phase 1
using the public address of 80.1.1.1 to an internal router at 192.168.1.1?
Forwarding ISAKMP and ESP to the internal host should work, are you sure
aren't listening for IKE packets on R2 external interface?
-ryan
-----Original Message-----
Subject: PAT IPSec-FW Issue
I have tried today to make PAT IPSec to a checkpoint FW, but without
succeed.
R1(192.168.1.1) ----->(192.168.1.2) R2 (80.1.1.1)
ip nat inside source static tcp 192.168.1.1 500 80.1.1.1 500
ip nat inside source static udp 192.168.1.1 500 80.1.1.1 500
ip nat inside source static ucp 192.168.1.1 4500 80.1.1.1 4500
ip nat inside source static esp 192.168.1.1 80.1.1.1
Does anyone have ever tried to configure this even without a Checkpoint FW -
could be ASA or any other FW Vender ?
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 04 2009 - 07:51:48 ART