From: John Kaberna (jkaberna@xxxxxxxxxxxx)
Date: Sun Feb 11 2001 - 22:48:40 GMT-3
I run IPSEC and NAT on my home router. It NAT's all Internet traffic and
encrypts any traffic destined for one of my clients networks. Here is the
relevant config. This tunnel is no longer active but I did leave the config
on there. The only thing missing is the crypto map statement on the FA0/0
interface. See if this helps.
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key 708adkj1345owi address 63.95.73.4
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set netcg esp-3des esp-sha-hmac
!
!
crypto map netcg 10 ipsec-isakmp
set peer 63.95.73.4
set transform-set netcg
match address 101
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet0/0
description DSL line
ip address 64.171.176.146 255.255.255.248
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
duplex auto
speed auto
ip nat inside source route-map nonat1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 64.171.176.145
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.100.96.0 0.0.31.255
access-list 100 permit ip any any
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.100.96.0 0.0.31.255
route-map nonat1 permit 10
match ip address 100
----- Original Message -----
From: Simon Baxter <Simon.Baxter@au.logical.com>
To: James Zhou <zhoucm@holybridge.com.cn>
Cc: CCIE Group Study (E-mail) <ccielab@groupstudy.com>
Sent: Sunday, February 11, 2001 6:35 PM
Subject: RE: IPSec + Nat
> yeah!
>
> But can this NAT and IPSec be done on the same box? I've seen several
> examples where one box will do the NAT, then an adjacent box do the
tunnel.
> I want to know if the IOS will allow pre-natting addresses before IPSec
> tunnelling - on the same box...
>
> cheers,
>
> Simon
>
> -----Original Message-----
> From: James Zhou [mailto:zhoucm@holybridge.com.cn]
> Sent: Sunday, February 11, 2001 10:26 PM
> To: Simon Baxter
> Subject: Re: IPSec + Nat
>
>
> I think from A's view, the data flow should be: unregistered
> ip---nat---public ip--- ip sec tunnel--- public network---B,this way you
can
> avoid the problem you met with.
>
> Hope this can help.
>
>
> ----- Original Message -----
> From: "Simon Baxter" <Simon.Baxter@au.logical.com>
> To: "CCIE Group Study (E-mail)" <ccielab@groupstudy.com>
> Sent: Sunday, February 11, 2001 12:57 PM
> Subject: IPSec + Nat
>
>
> > I've read the "order of processing" information from CCO - before anyone
> > sends me it again....
> >
> > Is this possible?
> >
> > Company A has a network 10.0.0.0 with a connection to the internet.
> >
> > Company B has a network that comprises of totally registered internet
> > addresses.
> >
> > Company A and B decide to connect to eachother via an IPSec tunnel.
> >
> > Company B selects a backbone router that will terminate the IPSec
tunnel.
> >
> >
> > Company A wishes to both
> > 1) Nat their private address range onto a public range
> > 2) Terminate an IPSec tunnel to company B
> >
> > NOTE: On the SAME router...
> >
> >
> >
> > I've done multiple NAT + IPSec tunnels where both sides are natting and
> > IPSecing. Basically you define interesting traffic for encryption and
> > interesting traffic for NATing
> > something like this :
> > !
> > crypto map blobby
> > match ip add 101
> > !
> > ip nat in so route-map natter pool wolly
> > !
> > route-map natter perm 10
> > match ip add 102
> > !
> > acl 101 per ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
> > !
> > acl 102 per ip 11.0.0.0 0.255.255.255 21.0.0.0 0.255.255.255
> >
> > But this example is natting some stuff and VPN tunnelling other stuff.
> >
> > I want to know how to tunnel translated traffic when one box is doing
the
> > tunneling and translating....
> >
> >
> >
> > ???
> >
> > Simon
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:45 GMT-3