Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Contributor

Routing Internet Traffic to Remote ISP

I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is and Site 2 LAN is I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.

I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source destination any. When I ping from Site 1 I can see traffic route to Site 2 and come in the Public policy.

ProtocolSource Address/PortDestination Address/PortNat Address/Port

However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:

Any help is greatly appreciated!


ip crypto


crypto ike policy 100

  initiate main

  respond anymode

  local-id address 73.x.x.x

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 64.x.x.x

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 2


crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force


ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

  mode tunnel


ip crypto map VPN 10 ipsec-ike

  description TestConnection

  match address ip VPN-10-vpn-selectors

  set peer 64.x.x.x

  set transform-set esp-aes-256-cbc-esp-sha-hmac

  set pfs group2

  ike-policy 100


interface eth 0/1

  ip address dhcp

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip primary

  no awcp

  no shutdown

  no lldp send-and-receive



interface vlan 1

  ip address

  ip access-policy Private

  media-gateway ip primary

  no awcp


ip access-list standard MATCHALL


ip access-list extended ADMIN

  permit tcp any  any eq ssh

  permit tcp any  any eq https

  permit icmp any  any


ip access-list extended LAN

  permit ip  any  log

  permit ip  any     log


ip access-list extended MC

  permit tcp any  any eq 50000


ip access-list extended MCADMIN

  permit tcp host 73.x.x.x  host eq 3389

  permit tcp host 173.x.x.x  host eq 3389


ip access-list extended SIP

  permit udp hostname  any eq 5060


ip access-list extended VPN-10-vpn-selectors

  permit ip any


ip policy-class Private

  allow list MATCHALL self

  nat source list LAN interface eth 0/1 overload

  allow list VPN-10-vpn-selectors stateless


ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list ADMIN

  nat destination list MC address port 25565

  nat destination list MCADMIN address



sip udp 5060

no sip tcp


sip proxy

sip proxy transparent


sip proxy sip-server primary


sip timer d 4000

sip timer j 4000


ip rtp quality-monitoring

ip rtp quality-monitoring sip

ip rtp quality-monitoring history max-streams 10


line con 0

  no login


line telnet 0 4

  login local-userlist

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  line-timeout 30

  no shutdown

Labels (4)
0 Kudos