RE: IPSec + Nat

From: Simon Baxter (Simon.Baxter@xxxxxxxxxxxxxx)
Date: Sun Feb 11 2001 - 23:35:42 GMT-3

• Next message: Simon Baxter: "hidden IPX command"
• Previous message: Kurt E. Radecki: "RE: router filtering"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: John Kaberna: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
yeah!

But can this NAT and IPSec be done on the same box? I've seen several
examples where one box will do the NAT, then an adjacent box do the tunnel.
I want to know if the IOS will allow pre-natting addresses before IPSec
tunnelling - on the same box...

cheers,

Simon

-----Original Message-----
From: James Zhou [mailto:zhoucm@holybridge.com.cn]
Sent: Sunday, February 11, 2001 10:26 PM
To: Simon Baxter
Subject: Re: IPSec + Nat

I think from A's view, the data flow should be: unregistered
ip---nat---public ip--- ip sec tunnel--- public network---B,this way you can
avoid the problem you met with.

Hope this can help.

----- Original Message -----
From: "Simon Baxter" <Simon.Baxter@au.logical.com>
To: "CCIE Group Study (E-mail)" <ccielab@groupstudy.com>
Sent: Sunday, February 11, 2001 12:57 PM
Subject: IPSec + Nat

> I've read the "order of processing" information from CCO - before anyone
> sends me it again....
>
> Is this possible?
>
> Company A has a network 10.0.0.0 with a connection to the internet.
>
> Company B has a network that comprises of totally registered internet
> addresses.
>
> Company A and B decide to connect to eachother via an IPSec tunnel.
>
> Company B selects a backbone router that will terminate the IPSec tunnel.
>
>
> Company A wishes to both
> 1) Nat their private address range onto a public range
> 2) Terminate an IPSec tunnel to company B
>
> NOTE: On the SAME router...
>
>
>
> I've done multiple NAT + IPSec tunnels where both sides are natting and
> IPSecing. Basically you define interesting traffic for encryption and
> interesting traffic for NATing
> something like this :
> !
> crypto map blobby
> match ip add 101
> !
> ip nat in so route-map natter pool wolly
> !
> route-map natter perm 10
> match ip add 102
> !
> acl 101 per ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
> !
> acl 102 per ip 11.0.0.0 0.255.255.255 21.0.0.0 0.255.255.255
>
> But this example is natting some stuff and VPN tunnelling other stuff.
>
> I want to know how to tunnel translated traffic when one box is doing the
> tunneling and translating....
>
>
>
> ???
>
> Simon
>
>

• Next message: Simon Baxter: "hidden IPX command"
• Previous message: Kurt E. Radecki: "RE: router filtering"
• Maybe in reply to: Simon Baxter: "IPSec + Nat"
• Next in thread: John Kaberna: "Re: IPSec + Nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:45 GMT-3