cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mikeatcomtech
New Contributor

Routing Internet Traffic to Remote ISP

I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is 10.0.2.0/24 and Site 2 LAN is 192.168.168.1. I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.

I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source 10.0.2.0/24 destination any. When I ping 8.8.8.8 from Site 1 I can see traffic route to Site 2 and come in the Public policy.

ProtocolSource Address/PortDestination Address/PortNat Address/Port
ICMP(1)10.0.2.528.8.8.8...

However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:

Any help is greatly appreciated!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 73.x.x.x

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 64.x.x.x

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 2

!

crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force

!

ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description TestConnection

  match address ip VPN-10-vpn-selectors

  set peer 64.x.x.x

  set transform-set esp-aes-256-cbc-esp-sha-hmac

  set pfs group2

  ike-policy 100

!

interface eth 0/1

  ip address dhcp

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip primary

  no awcp

  no shutdown

  no lldp send-and-receive

!

!

interface vlan 1

  ip address  192.168.168.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no awcp

!

ip access-list standard MATCHALL

!

ip access-list extended ADMIN

  permit tcp any  any eq ssh

  permit tcp any  any eq https

  permit icmp any  any

!

ip access-list extended LAN

  permit ip 192.168.168.0 0.0.0.255  any  log

  permit ip 10.0.2.0 0.0.0.255  any     log

!

ip access-list extended MC

  permit tcp any  any eq 50000

!

ip access-list extended MCADMIN

  permit tcp host 73.x.x.x  host 73.133.87.67 eq 3389

  permit tcp host 173.x.x.x  host 73.133.87.67 eq 3389

!

ip access-list extended SIP

  permit udp hostname fe-d2c5-7y.coredial.com  any eq 5060

!

ip access-list extended VPN-10-vpn-selectors

  permit ip any  10.0.2.0 0.0.0.255

!

ip policy-class Private

  allow list MATCHALL self

  nat source list LAN interface eth 0/1 overload

  allow list VPN-10-vpn-selectors stateless

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list ADMIN

  nat destination list MC address 192.168.168.40 port 25565

  nat destination list MCADMIN address 192.168.168.40

!

sip

sip udp 5060

no sip tcp

!

sip proxy

sip proxy transparent

!

sip proxy sip-server primary fe-d2c5-7y.coredial.com

!

sip timer d 4000

sip timer j 4000

!

ip rtp quality-monitoring

ip rtp quality-monitoring sip

ip rtp quality-monitoring history max-streams 10

!

line con 0

  no login

!

line telnet 0 4

  login local-userlist

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  line-timeout 30

  no shutdown

Labels (4)
0 Kudos