RE: IPSEC with NAT

From: Diehm, Brian (Brian.Diehm@xxxxxxxxxx)
Date: Sun Oct 14 2001 - 21:02:05 GMT-3

• Next message: Andrew Maskell: "RE: IPSEC with NAT"
• Previous message: Khalid Nafie: "IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Andrew Maskell: "RE: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
If memory servers me correct you have to change the peer statements to
represent the natted address but you leave the access list alone.

-----Original Message-----
From: Khalid Nafie [mailto:knafie@ncr.com.kw]
Sent: Sunday, October 14, 2001 6:40 PM
To: Ccielab (E-mail)
Subject: IPSEC with NAT

Dear all,
        I was trying IPSEC with NAting on the same router but it didn't
work, its working without the natting but as i introduce natting into
one
router it doesn't work.
any idea if there is change int the ACL on the nating router?
any working examples?
here is my config

R7:

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key sh-key address 62.7.1.10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
 !
 crypto map toR2 10 ipsec-isakmp
 set peer 62.7.1.10
 set transform-set trans
 match address 110
!
interface Tunnel10
 ip address 10.10.1.1 255.255.0.0
 no ip directed-broadcast
 tunnel source 62.9.3.3
 tunnel destination 62.7.1.10
 crypto map toR2
!
!interface Ethernet2/0
 ip address 62.9.3.3 255.255.0.0
 no ip redirects
 no ip directed-broadcast
 crypto map toR2
!
access-list 110 permit ip host 62.9.3.3 host 62.7.1.10

R2:

!
ip nat inside source static 2.2.2.1 62.7.1.10
!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key sh-key address 62.9.3.3
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
 !
 crypto map toR7 10 ipsec-isakmp
 set peer 62.9.3.3
 set transform-set trans
 match address 110
!
!!
interface Tunnel10
 ip address 10.10.1.2 255.255.0.0
 tunnel source 62.7.1.10
 tunnel destination 62.9.3.3
 crypto map toR7
!
interface Serial0
 ip address 62.7.1.2 255.255.255.0
 ip nat outside
 no ip mroute-cache
 no fair-queue
 clockrate 64000
 crypto map toR7
!
access-list 110 permit ip host 62.7.1.10 host 62.9.3.3
================================================
Yours,
Khaled Nafie
Network Engineer
Customer Services
MCSE,CCDP,CCNP VOICE ACCESS
NCR Corporation, Kuwait
Mob.: +965-9872046
Tel : +965- 2412201, 2412203
Fax : +965-2413075

• Next message: Andrew Maskell: "RE: IPSEC with NAT"
• Previous message: Khalid Nafie: "IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Andrew Maskell: "RE: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3