VPN and PAT 2

[itenghm]

Hi all
I'm trying to forward IPSEC traffic to a VPN box inside my LAN through Cisco router
I have added PAT rules:
ip nat inside source static udp vpn_box_address 500 interface wan_interface 500 (this is for IKE)
ip nat inside source static esp vpn_box_address 500 interface wan_interfac

when trying to connect only the first rule is applied and the connection fails?

any idea?

 

[burtsbees]

Change

ip nat inside source static esp vpn_box_address 500 interface wan_interfac

to

ip nat inside source static esp vpn_box_address 500 interface wan_interfac 500

By the way, this is static NAT, not PAT...

Burt

 

[itenghm]

Thanks
I will try it, but what is PAT then?

 

[brianinms]

That is static Pat.

Nat - IP to IP
Pat - Port to Port

 

[burtsbees]

Whoops...sorry. What was I thinking???

Burt

 

[itenghm]

Well the command is not recognized it only allows the following command
ip nat inside source static esp vpn_box_address interface wan_interfac (without IKE port)
so I need to put the IKE in a second rule which what I did in the first place and didn't work!
In the log of the vpn box appears:
"ISAKMP: No proposal chosen in message from client"
It seems that the vpn box doesn't get the ISAKMP SA proposal from the client.

 

[burtsbees]

Sorry---port numbers only need to be specified for tcp and udp, since they are the only protocols that use ports.

ip nat inside source static esp vpn_box_address 500 interface wan_interfac
needs to be changed to
ip nat inside source static esp vpn_box_address interface wan_interfac
Another way to accomplish this is to use route-maps...just build an access-list, as it supports more protocols (ahp, esp, eigrp, ospf, ipinip, gre, icmp, igmp, nos, pim, pcp, tcp, udp). Let's say it is acl 102...you have built it to allow from any to x.x.x.x eq all these protocols, plus a few tcp and udp ports. Then the nat statement would be...
ip nat inside source route-map route_map_name wan_interface
and the route-map would look like
route-map route_map_name permit 1
match ip address 102

Burt

 

[itenghm]

nothign seems to work
I've tried everything and tha same log message on the vpn box
ISAKMP No proposal chosen in message from client

 

[burtsbees]

Please explain the topology for the VPN...like what router/firewall serves the vpn? Are you trying to allow vpn traffic TO or THROUGH the router, and if through, then to what?

Burt

 

[itenghm]

We have cisco router 2821 (IOS 12.4(5)T1) and Nortel Contivity for vpn, any client wants to connect to the network first connect to the public address on the wan card on the router and then the router must forward the vpn traffic to Contivity

 

[burtsbees]

20 permit udp any any eq non500-isakmp
30 permit udp any any eq isakmp
40 permit esp any any
50 permit ahp any any
Try that.

Burt

 

[itenghm]

no
still the same problem

 

[itenghm]

the problem was in the vpn box the routing was wrong
no the problem is solved
I put the same PAT rules
ip nat inside source static udp vpn_box_address 500 interface wan_interface 500 (this is for IKE)
ip nat inside source static esp vpn_box_address 500 interface wan_interfac
with the right access list

thanks