OT:IPSEC Passthrough on Cisco Router

Hi folks
Im trying to make VPN between SRX and fortinet L2L
SRX got dynamic IP while Fortinet static on cisco Router

SRX----->Internet<-------Cisco router(Natted device)<-------Fortinet firewall

i can make VPN with other boxes but the problem i cant see in the translation
table of cisco router on port udp 4500 only udp 500 which causing my VPN not
establish
im attaching my configuration for your reference
Below is the output of my translation
sh ip nat translation udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
x.x.x.x:500

Any suggestion would be appreciated

Faizan KhurshidNetwork Engineer, Network & Security Department.Mideast Data
Systems | P.O. Box: 7899, Abu Dhabi, UAE
T: +971 2 6274000 | F: +971 2 6271114 | M+971-55-5982393faizan_at_mdsuae.ae|
www.mdscomputers.ae
Part of the Midis Group
interface GigabitEthernet0/0
 description "Connected-to-IOE"
 ip address x.x.x.xx 255.255.255.252
 ip access-group LYNC in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!

interface GigabitEthernet0/1
 description "PPOE"
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 pppoe enable group global
 pppoe-client dial-pool-number 1
!

interface GigabitEthernet0/0/0
 description LAN-Interface
 ip address x.x.x.xx 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map PBR
 no negotiation auto
 vrrp 1 ip 172.16.140.1
 vrrp 1 priority 120
!

interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname x.x.x.xx
 ppp chap password x.x.x.xx
 ppp pap sent-username x.x.x.xx password x.x.x.xx
 
!

ip nat service list 1 IKE preserve-port
ip nat service list 1 ESP spi-match

ip nat inside source list IOE-Internet interface GigabitEthernet0/0 overload
ip nat inside source list PPOE interface Dialer1 overload

ip nat inside source static x.x.x.xx(inside) x.x.x.xx(outside) "(VPN)"

ip access-list extended IOE
 deny ip host 172.16.28.69 host 172.17.2.2
 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
 permit ip 172.16.16.0 0.0.0.255 any
 permit ip host 172.16.140.4 any
ip access-list extended IOE-Internet
 permit ip 172.0.0.0 0.255.255.255 any
ip access-list extended LYNC
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit ip any any

ip access-list extended PPOE
 deny ip host 172.16.28.69 host 172.17.2.2
 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 any
 permit ip 172.17.0.0 0.0.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 
 
 route-map PBR permit 10
 match ip address IOE
 set ip next-hop 94.56.216.85
!
route-map PBR permit 20
 match ip address PPOE
 set interface Dialer1
!

udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 09 2013 - 12:34:04 ART