I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is 10.0.2.0/24 and Site 2 LAN is 192.168.168.1. I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.
I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source 10.0.2.0/24 destination any. When I ping 8.8.8.8 from Site 1 I can see traffic route to Site 2 and come in the Public policy.
Protocol | Source Address/Port | Destination Address/Port | Nat Address/Port |
ICMP(1) | 10.0.2.52 | 8.8.8.8 | ... |
However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:
Any help is greatly appreciated!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address 73.x.x.x
nat-traversal v1 disable
nat-traversal v2 force
peer 64.x.x.x
attribute 1
encryption aes-256-cbc
authentication pre-share
group 2
!
crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force
!
ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description TestConnection
match address ip VPN-10-vpn-selectors
set peer 64.x.x.x
set transform-set esp-aes-256-cbc-esp-sha-hmac
set pfs group2
ike-policy 100
!
interface eth 0/1
ip address dhcp
ip access-policy Public
ip crypto map VPN
media-gateway ip primary
no awcp
no shutdown
no lldp send-and-receive
!
!
interface vlan 1
ip address 192.168.168.1 255.255.255.0
ip access-policy Private
media-gateway ip primary
no awcp
!
ip access-list standard MATCHALL
!
ip access-list extended ADMIN
permit tcp any any eq ssh
permit tcp any any eq https
permit icmp any any
!
ip access-list extended LAN
permit ip 192.168.168.0 0.0.0.255 any log
permit ip 10.0.2.0 0.0.0.255 any log
!
ip access-list extended MC
permit tcp any any eq 50000
!
ip access-list extended MCADMIN
permit tcp host 73.x.x.x host 73.133.87.67 eq 3389
permit tcp host 173.x.x.x host 73.133.87.67 eq 3389
!
ip access-list extended SIP
permit udp hostname fe-d2c5-7y.coredial.com any eq 5060
!
ip access-list extended VPN-10-vpn-selectors
permit ip any 10.0.2.0 0.0.0.255
!
ip policy-class Private
allow list MATCHALL self
nat source list LAN interface eth 0/1 overload
allow list VPN-10-vpn-selectors stateless
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
allow list ADMIN
nat destination list MC address 192.168.168.40 port 25565
nat destination list MCADMIN address 192.168.168.40
!
sip
sip udp 5060
no sip tcp
!
sip proxy
sip proxy transparent
!
sip proxy sip-server primary fe-d2c5-7y.coredial.com
!
sip timer d 4000
sip timer j 4000
!
ip rtp quality-monitoring
ip rtp quality-monitoring sip
ip rtp quality-monitoring history max-streams 10
!
line con 0
no login
!
line telnet 0 4
login local-userlist
password password
no shutdown
line ssh 0 4
login local-userlist
line-timeout 30
no shutdown