06-25-2008 07:43 PM
NATing the destination public IP is needed to avoid routing it in our internal network.
At the same time NATing the source private IP to be a public one to avoid any IP conflict at the other VPN end (PAT cannot be used as it is not applicable by the other party).
To do so we have to use the route based VPN which has 0.0.0.0/0 proxy id by default.
So I have to override it from phase two configuration.
The issue I face here is that I had to override the proxy id with /29 subnet to contain the four IPs but this wasn’t accepted by the other party which has a Cisco gateway and configures the VPN access-lists with
hosts (/32) only (4 access-lists), so in order to match these proxy ids I had to configure four VPNs (or four phase 2) to overcome the proxy id issue and override it to get this VPN working.
Is there any solution for this case other than creating 4 route-based VPNs?
Thanks for any reply in advance
Solved! Go to Solution.
06-25-2008 07:46 PM
i don't know if you missed this answer provided by Stefan and Jerrish on one of the aliases:
You can use one or multiple SA with NATing. The SAs needs to match regardless of NAT or not NAT. If you NAT on a ScreenOS device, then your SA on the far-end third-party gateway must anticipate this and use a different ACL. There is an example on how to do this in the ScreenOS Cookbook in chapter 8.19 "Configuring NAT with Policy Based VPN".
also the link to configure route based VPN on Cisco IOS routers. The proxy-id on the cisco device also defaults to 0/0 with route based VPN http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!