Re: OT:IPSEC Passthrough on Cisco Router

Enable Nat- traversal in SRX

On Tue, Jul 9, 2013 at 10:34 AM, faizan khurshid <
faizankhurshid921_at_hotmail.com> wrote:

> Hi folks
> Im trying to make VPN between SRX and fortinet L2L
> SRX got dynamic IP while Fortinet static on cisco Router
>
> SRX----->Internet<-------Cisco router(Natted device)<-------Fortinet
> firewall
>
>
> i can make VPN with other boxes but the problem i cant see in the
> translation
> table of cisco router on port udp 4500 only udp 500 which causing my VPN
> not
> establish
> im attaching my configuration for your reference
> Below is the output of my translation
> sh ip nat translation udp x.x.x.x:500 172.16.140.4:500
> x.x.x.x:500
> x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
> x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
> x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
> x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
> x.x.x.x:500udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500
> x.x.x.x:500
>
> Any suggestion would be appreciated
>
>
> Faizan KhurshidNetwork Engineer, Network & Security Department.Mideast Data
> Systems | P.O. Box: 7899, Abu Dhabi, UAE
> T: +971 2 6274000 | F: +971 2 6271114 |
> M+971-55-5982393faizan_at_mdsuae.ae|
> www.mdscomputers.ae
> Part of the Midis Group
> interface GigabitEthernet0/0
> description "Connected-to-IOE"
> ip address x.x.x.xx 255.255.255.252
> ip access-group LYNC in
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> media-type rj45
> !
>
> interface GigabitEthernet0/1
> description "PPOE"
> no ip address
> ip virtual-reassembly
> duplex auto
> speed auto
> media-type rj45
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
>
> interface GigabitEthernet0/0/0
> description LAN-Interface
> ip address x.x.x.xx 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> ip policy route-map PBR
> no negotiation auto
> vrrp 1 ip 172.16.140.1
> vrrp 1 priority 120
> !
>
> interface Dialer1
> ip address negotiated
> ip mtu 1492
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> no ip mroute-cache
> dialer pool 1
> dialer-group 1
> ppp authentication chap pap callin
> ppp chap hostname x.x.x.xx
> ppp chap password x.x.x.xx
> ppp pap sent-username x.x.x.xx password x.x.x.xx
>
> !
>
>
> ip nat service list 1 IKE preserve-port
> ip nat service list 1 ESP spi-match
>
>
> ip nat inside source list IOE-Internet interface GigabitEthernet0/0
> overload
> ip nat inside source list PPOE interface Dialer1 overload
>
>
> ip nat inside source static x.x.x.xx(inside) x.x.x.xx(outside) "(VPN)"
>
>
>
> ip access-list extended IOE
> deny ip host 172.16.28.69 host 172.17.2.2
> deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
> permit ip 172.16.16.0 0.0.0.255 any
> permit ip host 172.16.140.4 any
> ip access-list extended IOE-Internet
> permit ip 172.0.0.0 0.255.255.255 any
> ip access-list extended LYNC
> permit esp any any
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> permit ip any any
>
> ip access-list extended PPOE
> deny ip host 172.16.28.69 host 172.17.2.2
> deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
> deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
> permit ip 172.16.0.0 0.0.255.255 any
> permit ip 172.17.0.0 0.0.255.255 any
> permit ip 192.168.0.0 0.0.255.255 any
>
>
> route-map PBR permit 10
> match ip address IOE
> set ip next-hop 94.56.216.85
> !
> route-map PBR permit 20
> match ip address PPOE
> set interface Dialer1
> !
>
>
>
>
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
> udp x.x.x.x:500 172.16.140.4:500 x.x.x.x:500 x.x.x.x:500
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 09 2013 - 15:32:28 ART