From: Mike L. Chase (mchase@xxxxxxxxxxxx)
Date: Thu May 10 2001 - 02:52:23 GMT-3
Here is a config that works if you want to use IPSEC behind a Cisco router doin
g PAT (the
Cisco router itself is not doing IPSEC) :
------------------------------------------------------------------------------
ip nat inside source list 1 interface s0 overload
ip nat inside source static tcp 205.150.155.46 23 205.150.155.46 23 extendable
ip nat inside source static 10.136.14.5 205.150.155.46 extendable
interface serial0
ip address 205.150.155.46 255.255.255.0
interface ethernet0
ip address 10.136.14.2 255.255.255.0
access-list 1 permit 10.136.14.0 0.0.0.255
------------------------------------------------------------------------------
Router outside ISP address = 205.150.155.46
Router inside RFC1918 address = 10.136.14.2
Red Creek Ravlin 3200 or other IPSEC device = 10.136.14.5
This configuration allows you to still telnet into the router but passes all ot
her packets
hitting the routers serial0 outside interface directly to the IPSEC device on t
he 10.x
address inside.
Rgds/
Mike L. Chase, CCIE #7226
Sr. Network Architect
ISG: Information Services Group
Broadcom Corporation World Headquarters
MailDrop E1159-A
47 Discovery Street, Irvine, California USA 92618
OFC=949-585-6057;CELL=949-290-7065; FAX=949-585-6590
email : mchase@broadcom.com AIM:MikeLChase
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mas Kato
Sent: Wednesday, May 09, 2001 7:46 PM
To: 'CCIELAB'
Subject: Linksys-like IPSec "Passthrough"
Gang,
As an experiment, I tried to implement some of the functionality of my
little Linksys box on a 2600.
Here are the things I'm trying to implement:
1) PAT
2) Outside interface IP address via DHCP
Sounds like Easy IP, but then comes the killer:
3) IPSec "passthrough"
PAT basically breaks IPSec, so I was wondering how the Linksys manages
it...
I thought maybe with IPSec it did a straight port-for-port NAT with the
one outside global address assigned by DHCP (which would lead me to
believe it could only support one IPSec passthrough session at a time),
while doing PAT with everything else and reserving strategic ports.
Here's what I tried:
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address dhcp
ip nat outside
!
ip nat inside source route-map IPSEC interface Ethernet1
ip nat inside source list 110 interface Ethernet1 overload
!
access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq isakmp
access-list 100 permit esp 192.168.1.0 0.0.0.255 any
access-list 100 permit ahp 192.168.1.0 0.0.0.255 any
!
access-list 110 deny udp 192.168.1.0 0.0.0.255 any eq isakmp
access-list 110 deny esp 192.168.1.0 0.0.0.255 any
access-list 110 deny ahp 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
route-map IPSEC permit 10
match ip address 100
I figured maybe the first 'ip nat inside' command would do straight
extended NAT with IPSec and the second command would do PAT with the
rest. Not.
Alas, since the 'ip nat inside' command references an interface to get
the global address from it automatically gets configured for 'overload.'
Configuring a NAT pool would defeat the purpose of using DHCP on the
outside and there's no way I can tell to reference a DHCP-derived
address with a static translation.
Anybody have any thoughts or comments about this?
Thanks,
Mas
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:38 GMT-3