From: Simon Baxter (Simon.Baxter@xxxxxxxxxxxxxx)
Date: Mon Feb 12 2001 - 02:03:36 GMT-3
Ok. Tried it. No drama.
I natted an inside address to an outside interface that had a crypto map on
it. Worked a charm!!
-----Original Message-----
From: John Kaberna [mailto:jkaberna@netcginc.com]
Sent: Monday, February 12, 2001 1:31 PM
To: Simon Baxter; James Zhou
Cc: CCIE Group Study (E-mail)
Subject: Re: IPSec + Nat
Oh yeah I see what you mean now. It really depends on which order the
router processes the packets. I used to have a list from Cisco that
outlined what the order is. I don't think I'm saying it right so hopefully
someone else knows what I mean and can clarify. But I'm pretty sure that it
does NAT translations before IPSec. Then you would only need to change your
IPSec ACL to encrypt the new NAT'd address. If you have access to the
equipment I would suggest giving it a try.
----- Original Message -----
From: Simon Baxter <Simon.Baxter@au.logical.com>
To: John Kaberna <jkaberna@netcginc.com>; James Zhou
<zhoucm@holybridge.com.cn>
Cc: CCIE Group Study (E-mail) <ccielab@groupstudy.com>
Sent: Sunday, February 11, 2001 8:15 PM
Subject: RE: IPSec + Nat
> Cheers, but I was looking for a way to IPSec natted traffic - not pick and
> choose between traffic and selectively nat or tunnel....
>
> Simon
>
> -----Original Message-----
> From: John Kaberna [mailto:jkaberna@netcginc.com]
> Sent: Monday, February 12, 2001 11:49 AM
> To: Simon Baxter; James Zhou
> Cc: CCIE Group Study (E-mail)
> Subject: Re: IPSec + Nat
>
>
> I run IPSEC and NAT on my home router. It NAT's all Internet traffic and
> encrypts any traffic destined for one of my clients networks. Here is the
> relevant config. This tunnel is no longer active but I did leave the
config
> on there. The only thing missing is the crypto map statement on the FA0/0
> interface. See if this helps.
>
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> crypto isakmp key 708adkj1345owi address 63.95.73.4
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set netcg esp-3des esp-sha-hmac
> !
> !
> crypto map netcg 10 ipsec-isakmp
> set peer 63.95.73.4
> set transform-set netcg
> match address 101
> !
> interface Loopback0
> ip address 172.16.0.1 255.255.255.0
> no ip directed-broadcast
> !
> interface FastEthernet0/0
> description DSL line
> ip address 64.171.176.146 255.255.255.248
> no ip directed-broadcast
> ip nat outside
> no ip route-cache
> no ip mroute-cache
> duplex auto
> speed auto
>
> interface FastEthernet0/1
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> no ip mroute-cache
> duplex auto
> speed auto
>
> ip nat inside source route-map nonat1 interface FastEthernet0/0 overload
> ip route 0.0.0.0 0.0.0.0 64.171.176.145
>
> access-list 100 deny ip 10.1.1.0 0.0.0.255 10.100.96.0 0.0.31.255
> access-list 100 permit ip any any
> access-list 101 permit ip 10.1.1.0 0.0.0.255 10.100.96.0 0.0.31.255
> route-map nonat1 permit 10
> match ip address 100
>
> ----- Original Message -----
> From: Simon Baxter <Simon.Baxter@au.logical.com>
> To: James Zhou <zhoucm@holybridge.com.cn>
> Cc: CCIE Group Study (E-mail) <ccielab@groupstudy.com>
> Sent: Sunday, February 11, 2001 6:35 PM
> Subject: RE: IPSec + Nat
>
>
> > yeah!
> >
> > But can this NAT and IPSec be done on the same box? I've seen several
> > examples where one box will do the NAT, then an adjacent box do the
> tunnel.
> > I want to know if the IOS will allow pre-natting addresses before IPSec
> > tunnelling - on the same box...
> >
> > cheers,
> >
> > Simon
> >
> > -----Original Message-----
> > From: James Zhou [mailto:zhoucm@holybridge.com.cn]
> > Sent: Sunday, February 11, 2001 10:26 PM
> > To: Simon Baxter
> > Subject: Re: IPSec + Nat
> >
> >
> > I think from A's view, the data flow should be: unregistered
> > ip---nat---public ip--- ip sec tunnel--- public network---B,this way you
> can
> > avoid the problem you met with.
> >
> > Hope this can help.
> >
> >
> > ----- Original Message -----
> > From: "Simon Baxter" <Simon.Baxter@au.logical.com>
> > To: "CCIE Group Study (E-mail)" <ccielab@groupstudy.com>
> > Sent: Sunday, February 11, 2001 12:57 PM
> > Subject: IPSec + Nat
> >
> >
> > > I've read the "order of processing" information from CCO - before
anyone
> > > sends me it again....
> > >
> > > Is this possible?
> > >
> > > Company A has a network 10.0.0.0 with a connection to the internet.
> > >
> > > Company B has a network that comprises of totally registered internet
> > > addresses.
> > >
> > > Company A and B decide to connect to eachother via an IPSec tunnel.
> > >
> > > Company B selects a backbone router that will terminate the IPSec
> tunnel.
> > >
> > >
> > > Company A wishes to both
> > > 1) Nat their private address range onto a public range
> > > 2) Terminate an IPSec tunnel to company B
> > >
> > > NOTE: On the SAME router...
> > >
> > >
> > >
> > > I've done multiple NAT + IPSec tunnels where both sides are natting
and
> > > IPSecing. Basically you define interesting traffic for encryption and
> > > interesting traffic for NATing
> > > something like this :
> > > !
> > > crypto map blobby
> > > match ip add 101
> > > !
> > > ip nat in so route-map natter pool wolly
> > > !
> > > route-map natter perm 10
> > > match ip add 102
> > > !
> > > acl 101 per ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
> > > !
> > > acl 102 per ip 11.0.0.0 0.255.255.255 21.0.0.0 0.255.255.255
> > >
> > > But this example is natting some stuff and VPN tunnelling other stuff.
> > >
> > > I want to know how to tunnel translated traffic when one box is doing
> the
> > > tunneling and translating....
> > >
> > >
> > >
> > > ???
> > >
> > > Simon
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:45 GMT-3