ISAKMP NAT problem (I know it can be done but don't know how)

Discussion in 'Cisco' started by Rogier Mulder, Jan 13, 2005.

  1. I'm setting up an IPSec tunnel between two Cisco routers and a
    SonicWall 2040 in between. One of the routers (1721) is on a private
    network (192.168.16/24) behind the firewall; the other cisco box is
    somewhere on the Internet.

    The tunnel is set up by the router on the public net and the firewall
    is configured to allow IKE, IPSec and port 5400 both ways. The router
    on the private LAN can be addressed from the outside because the
    firewall provides a one2one mapping of a public address to
    192.168.16.3.

    When the router on the Internet sets a tunnel to my 1721 (the public
    NAT address!), its log shows:

    Jan 13 14:10:55.094: ISAKMP:(0:1764:HW:2): processing ID payload.
    message ID = 0 Jan 13 14:10:55.094: ISAKMP (0:268437220): ID payload
    next-payload : 8
    type : 1
    address : 192.168.16.3
    protocol : 17
    port : 0
    length : 12
    Jan 13 14:10:55.094: ISAKMP:(0:1764:HW:2):Expected CORP_Sycada profile
    doesn't match, aborting exchange

    The router probbaly expects the public IP address of my private
    router. How can I tell either my router or the other router that
    192.168.16.3 is equivalent to its public IP address?

    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key xxxxxxx address x.x.x.x
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set Sycada esp-3des esp-md5-hmac
    !
    crypto map Sycada 1 ipsec-isakmp
    description crypto map Sycada
    set peer x.x.x.x
    set transform-set Sycada
    match address 100
    access-list 100 permit ip any 192.168.101.0 0.0.0.255

    rgrds rgr

    Sycada Nederland
     
    Rogier Mulder, Jan 13, 2005
    #1
    1. Advertising

  2. In article <>,
    Rogier Mulder <> wrote:
    :I'm setting up an IPSec tunnel between two Cisco routers and a
    :SonicWall 2040 in between. One of the routers (1721) is on a private
    :network (192.168.16/24) behind the firewall; the other cisco box is
    :somewhere on the Internet.

    :The tunnel is set up by the router on the public net and the firewall
    :is configured to allow IKE, IPSec and port 5400 both ways.

    Is that '5400' a typo? isakmp is udp 500, and NAT Traversal uses
    UDP 4500.

    :The router probbaly expects the public IP address of my private
    :router. How can I tell either my router or the other router that
    :192.168.16.3 is equivalent to its public IP address?

    Try looking for a way to set the isakmp identity to 'hostname'.

    I have done IPSec through static NAT, but with a PIX.
    --
    Cannot open .signature: Permission denied
     
    Walter Roberson, Jan 13, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. LLFF

    ISAKMP nat-traversal ?

    LLFF, Nov 28, 2005, in forum: Cisco
    Replies:
    1
    Views:
    9,745
    Walter Roberson
    Nov 28, 2005
  2. Karen  Parker
    Replies:
    32
    Views:
    1,182
    Karen Parker
    Aug 27, 2004
  3. Karen  Parker
    Replies:
    7
    Views:
    375
    JohnO
    Aug 26, 2004
  4. urvin
    Replies:
    0
    Views:
    910
    urvin
    Apr 15, 2008
  5. fashion t shirts seller
    Replies:
    0
    Views:
    1,654
    fashion t shirts seller
    Jun 13, 2011
Loading...

Share This Page