0 Replies Latest reply on Sep 14, 2015 1:48 PM by mikeatcomtech

    Routing Internet Traffic to Remote ISP

    mikeatcomtech New Member

      I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is 10.0.2.0/24 and Site 2 LAN is 192.168.168.1. I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.

       

      I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source 10.0.2.0/24 destination any. When I ping 8.8.8.8 from Site 1 I can see traffic route to Site 2 and come in the Public policy.

       

      ProtocolSource Address/PortDestination Address/PortNat Address/Port
      ICMP(1)10.0.2.528.8.8.8...

       

      However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:

       

      Any help is greatly appreciated!

       

      !

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id address 73.x.x.x

        nat-traversal v1 disable

        nat-traversal v2 force

        peer 64.x.x.x

        attribute 1

          encryption aes-256-cbc

          authentication pre-share

          group 2

      !

      crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force

      !

      ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

        mode tunnel

      !

      ip crypto map VPN 10 ipsec-ike

        description TestConnection

        match address ip VPN-10-vpn-selectors

        set peer 64.x.x.x

        set transform-set esp-aes-256-cbc-esp-sha-hmac

        set pfs group2

        ike-policy 100

      !

      interface eth 0/1

        ip address dhcp

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip primary

        no awcp

        no shutdown

        no lldp send-and-receive

      !

      !

      interface vlan 1

        ip address  192.168.168.1  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        no awcp

      !

      ip access-list standard MATCHALL

      !

      ip access-list extended ADMIN

        permit tcp any  any eq ssh

        permit tcp any  any eq https

        permit icmp any  any

      !

      ip access-list extended LAN

        permit ip 192.168.168.0 0.0.0.255  any  log

        permit ip 10.0.2.0 0.0.0.255  any     log

      !

      ip access-list extended MC

        permit tcp any  any eq 50000

      !

      ip access-list extended MCADMIN

        permit tcp host 73.x.x.x  host 73.133.87.67 eq 3389

        permit tcp host 173.x.x.x  host 73.133.87.67 eq 3389

      !

      ip access-list extended SIP

        permit udp hostname fe-d2c5-7y.coredial.com  any eq 5060

      !

      ip access-list extended VPN-10-vpn-selectors

        permit ip any  10.0.2.0 0.0.0.255

      !

      ip policy-class Private

        allow list MATCHALL self

        nat source list LAN interface eth 0/1 overload

        allow list VPN-10-vpn-selectors stateless

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors stateless

        allow list ADMIN

        nat destination list MC address 192.168.168.40 port 25565

        nat destination list MCADMIN address 192.168.168.40

      !

      sip

      sip udp 5060

      no sip tcp

      !

      sip proxy

      sip proxy transparent

      !

      sip proxy sip-server primary fe-d2c5-7y.coredial.com

      !

      sip timer d 4000

      sip timer j 4000

      !

      ip rtp quality-monitoring

      ip rtp quality-monitoring sip

      ip rtp quality-monitoring history max-streams 10

      !

      line con 0

        no login

      !

      line telnet 0 4

        login local-userlist

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        line-timeout 30

        no shutdown