RE: IPSEC with NAT

From: Andrew Maskell (amaskell@xxxxxxxxx)
Date: Sun Oct 14 2001 - 21:11:30 GMT-3

• Next message: MikeN: "Re: IPSEC with NAT"
• Previous message: Diehm, Brian: "RE: IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: MikeN: "Re: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You need to prevent the traffic that gets encrypted from getting Nat'd.
This is achieved through policy routing.

Try this:
http://www.cisco.com/warp/public/707/static.html

This shows NAT Order of Operation
http://www.cisco.com/warp/public/556/5.html

-Andrew

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Khalid Nafie
> Sent: Monday, October 15, 2001 12:40 AM
> To: Ccielab (E-mail)
> Subject: IPSEC with NAT
>
>
> Dear all,
> I was trying IPSEC with NAting on the same router but it didn't
> work, its working without the natting but as i introduce natting into one
> router it doesn't work.
> any idea if there is change int the ACL on the nating router?
> any working examples?
> here is my config
>
> R7:
>
> !
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key sh-key address 62.7.1.10
> !
> !
> crypto ipsec transform-set trans esp-des esp-md5-hmac
> !
> !
> crypto map toR2 10 ipsec-isakmp
> set peer 62.7.1.10
> set transform-set trans
> match address 110
> !
> interface Tunnel10
> ip address 10.10.1.1 255.255.0.0
> no ip directed-broadcast
> tunnel source 62.9.3.3
> tunnel destination 62.7.1.10
> crypto map toR2
> !
> !interface Ethernet2/0
> ip address 62.9.3.3 255.255.0.0
> no ip redirects
> no ip directed-broadcast
> crypto map toR2
> !
> access-list 110 permit ip host 62.9.3.3 host 62.7.1.10
>
> R2:
>
> !
> ip nat inside source static 2.2.2.1 62.7.1.10
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key sh-key address 62.9.3.3
> !
> !
> crypto ipsec transform-set trans esp-des esp-md5-hmac
> !
> !
> crypto map toR7 10 ipsec-isakmp
> set peer 62.9.3.3
> set transform-set trans
> match address 110
> !
> !!
> interface Tunnel10
> ip address 10.10.1.2 255.255.0.0
> tunnel source 62.7.1.10
> tunnel destination 62.9.3.3
> crypto map toR7
> !
> interface Serial0
> ip address 62.7.1.2 255.255.255.0
> ip nat outside
> no ip mroute-cache
> no fair-queue
> clockrate 64000
> crypto map toR7
> !
> access-list 110 permit ip host 62.7.1.10 host 62.9.3.3
> ================================================
> Yours,
> Khaled Nafie
> Network Engineer
> Customer Services
> MCSE,CCDP,CCNP VOICE ACCESS
> NCR Corporation, Kuwait
> Mob.: +965-9872046
> Tel : +965- 2412201, 2412203
> Fax : +965-2413075

• Next message: MikeN: "Re: IPSEC with NAT"
• Previous message: Diehm, Brian: "RE: IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: MikeN: "Re: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3