0 Replies Latest reply on Sep 14, 2015 1:48 PM by mikeatcomtech

    Routing Internet Traffic to Remote ISP

    mikeatcomtech New Member

      I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is and Site 2 LAN is I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.


      I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source destination any. When I ping from Site 1 I can see traffic route to Site 2 and come in the Public policy.


      ProtocolSource Address/PortDestination Address/PortNat Address/Port


      However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:


      Any help is greatly appreciated!



      ip crypto


      crypto ike policy 100

        initiate main

        respond anymode

        local-id address 73.x.x.x

        nat-traversal v1 disable

        nat-traversal v2 force

        peer 64.x.x.x

        attribute 1

          encryption aes-256-cbc

          authentication pre-share

          group 2


      crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force


      ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

        mode tunnel


      ip crypto map VPN 10 ipsec-ike

        description TestConnection

        match address ip VPN-10-vpn-selectors

        set peer 64.x.x.x

        set transform-set esp-aes-256-cbc-esp-sha-hmac

        set pfs group2

        ike-policy 100


      interface eth 0/1

        ip address dhcp

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip primary

        no awcp

        no shutdown

        no lldp send-and-receive



      interface vlan 1

        ip address

        ip access-policy Private

        media-gateway ip primary

        no awcp


      ip access-list standard MATCHALL


      ip access-list extended ADMIN

        permit tcp any  any eq ssh

        permit tcp any  any eq https

        permit icmp any  any


      ip access-list extended LAN

        permit ip  any  log

        permit ip  any     log


      ip access-list extended MC

        permit tcp any  any eq 50000


      ip access-list extended MCADMIN

        permit tcp host 73.x.x.x  host eq 3389

        permit tcp host 173.x.x.x  host eq 3389


      ip access-list extended SIP

        permit udp hostname fe-d2c5-7y.coredial.com  any eq 5060


      ip access-list extended VPN-10-vpn-selectors

        permit ip any


      ip policy-class Private

        allow list MATCHALL self

        nat source list LAN interface eth 0/1 overload

        allow list VPN-10-vpn-selectors stateless


      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors stateless

        allow list ADMIN

        nat destination list MC address port 25565

        nat destination list MCADMIN address



      sip udp 5060

      no sip tcp


      sip proxy

      sip proxy transparent


      sip proxy sip-server primary fe-d2c5-7y.coredial.com


      sip timer d 4000

      sip timer j 4000


      ip rtp quality-monitoring

      ip rtp quality-monitoring sip

      ip rtp quality-monitoring history max-streams 10


      line con 0

        no login


      line telnet 0 4

        login local-userlist

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        line-timeout 30

        no shutdown