Re: IPSEC with NAT

From: MikeN (miken@xxxxxxxxx)
Date: Sun Oct 14 2001 - 22:55:34 GMT-3

• Next message: Kyaw Kyaw Khine: "BGP for 1601"
• Previous message: Andrew Maskell: "RE: IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Ron Royston: "Re: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello Khalid,

This URL may help: http://www.cisco.com/warp/customer/556/5.html It shows
the NAT order of operations. Notice that the encryption process takes place
after the NAT. Last I worked with this scenario, I was able to do NAT with
IPSec, or NAT with GRE, but not NAT with GRE and IPSec. I'd be interested to
see if you can get this to work.

Thank you,
Mike Nygard

----- Original Message -----
From: "Khalid Nafie" <knafie@ncr.com.kw>
To: "Ccielab (E-mail)" <ccielab@groupstudy.com>
Sent: Sunday, October 14, 2001 5:39 PM
Subject: IPSEC with NAT

> Dear all,
> I was trying IPSEC with NAting on the same router but it didn't
> work, its working without the natting but as i introduce natting into one
> router it doesn't work.
> any idea if there is change int the ACL on the nating router?
> any working examples?
> here is my config
>
> R7:
>
> !
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key sh-key address 62.7.1.10
> !
> !
> crypto ipsec transform-set trans esp-des esp-md5-hmac
> !
> !
> crypto map toR2 10 ipsec-isakmp
> set peer 62.7.1.10
> set transform-set trans
> match address 110
> !
> interface Tunnel10
> ip address 10.10.1.1 255.255.0.0
> no ip directed-broadcast
> tunnel source 62.9.3.3
> tunnel destination 62.7.1.10
> crypto map toR2
> !
> !interface Ethernet2/0
> ip address 62.9.3.3 255.255.0.0
> no ip redirects
> no ip directed-broadcast
> crypto map toR2
> !
> access-list 110 permit ip host 62.9.3.3 host 62.7.1.10
>
> R2:
>
> !
> ip nat inside source static 2.2.2.1 62.7.1.10
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key sh-key address 62.9.3.3
> !
> !
> crypto ipsec transform-set trans esp-des esp-md5-hmac
> !
> !
> crypto map toR7 10 ipsec-isakmp
> set peer 62.9.3.3
> set transform-set trans
> match address 110
> !
> !!
> interface Tunnel10
> ip address 10.10.1.2 255.255.0.0
> tunnel source 62.7.1.10
> tunnel destination 62.9.3.3
> crypto map toR7
> !
> interface Serial0
> ip address 62.7.1.2 255.255.255.0
> ip nat outside
> no ip mroute-cache
> no fair-queue
> clockrate 64000
> crypto map toR7
> !
> access-list 110 permit ip host 62.7.1.10 host 62.9.3.3
> ================================================
> Yours,
> Khaled Nafie
> Network Engineer
> Customer Services
> MCSE,CCDP,CCNP VOICE ACCESS
> NCR Corporation, Kuwait
> Mob.: +965-9872046
> Tel : +965- 2412201, 2412203
> Fax : +965-2413075

• Next message: Kyaw Kyaw Khine: "BGP for 1601"
• Previous message: Andrew Maskell: "RE: IPSEC with NAT"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Ron Royston: "Re: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3