RE: IPSEC with NAT

From: dwhitley@xxxxxxxxx
Date: Mon Oct 15 2001 - 12:48:50 GMT-3

• Next message: Morse, Doug W (Doug): "Dlsw and 7500 reboots"
• Previous message: Brian Lodwick: "Re: isis with Frame-Relay interfaces"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Ron Royston: "RE: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
The following is from the 12.1 config guide

Restrictions
If you use Network Address Translation (NAT), you should configure static
NAT translations so that IPSec will work properly. In general, NAT
translation should occur before the router performs IPSec encapsulation; in
other words, IPSec should be working with global addresses.

-----Original Message-----
From: Khalid Nafie [mailto:knafie@ncr.com.kw]
Sent: Monday, October 15, 2001 5:56 AM
To: Ron Royston; ccielab@groupstudy.com
Subject: RE: IPSEC with NAT

Dear All,
        Thx for ur replies, now i know the idea behind IPSEC with natting,
the idea is not to nat what ur securing through the IPSEC tunnel, in the
static natting u have certain procedure to do so, and dynamic natting from
private to private and from public to private each one has little bit
different procedure but all under the same concept, the thing is that this
is the 1st time that the public network knows about the private addresses
because its not natted.
I have only one concern i think this is not applicable in real life cos how
can we route the pakets from public network to private one through the
internet.

-----Original Message-----
From: Ron Royston [mailto:ccie6824@hotmail.com]
Sent: Sunday, October 14, 2001 9:18 PM
To: knafie@ncr.com.kw; ccielab@groupstudy.com
Subject: Re: IPSEC with NAT

Unless there is something I am missing, you can get rid of the GRE tunnel.
Isn't there another active interface on this router, a privately addressed
one that you wish to NAT to a global? Anyway, NAT w/ IPSec will work fine.

Use the access-list to specify what traffic gets encrypted and that
access-list must be mirrored identically on the IPSec peer. Because you are

statically NATing, you'll have some extra configuration. If you were just
doing NAT, or PATing to your globally addressed interface address, you would

simply exlude the LAN-to-LAN packets from the NAT process. But because you
said 'ip nat inside source static ...', you told the router to NAT a
particular internally addressed host to a global address. In that senario,
packets from the static NAT host destined for the far-end LAN would not
match your IPSec access-list, resulting in a packet destined for your
private remote network getting sent to the ISPs gateway, and dropped.
Create a loopback interface on the router that needs to static NAT, and use
policy routing on the privately addressed interface to set the ip next-hop
of statically NATed IP address to the same network (not the host address) of

the loopback interface that you created. This allows the router to bypass
that static NAT statement for those LAN-to-LAN packets only.

CCO has a sample:
http://www.cisco.com/warp/customer/707/static.html

Good luck.

-Ron

>From: Khalid Nafie <knafie@ncr.com.kw>
>Reply-To: Khalid Nafie <knafie@ncr.com.kw>
>To: "Ccielab (E-mail)" <ccielab@groupstudy.com>
>Subject: IPSEC with NAT
>Date: Mon, 15 Oct 2001 02:39:45 +0300
>
>Dear all,
> I was trying IPSEC with NAting on the same router but it didn't
>work, its working without the natting but as i introduce natting into one
>router it doesn't work.
>any idea if there is change int the ACL on the nating router?
>any working examples?
>here is my config
>
>R7:
>
>!
>crypto isakmp policy 10
> authentication pre-share
>crypto isakmp key sh-key address 62.7.1.10
>!
>!
>crypto ipsec transform-set trans esp-des esp-md5-hmac
>!
> !
> crypto map toR2 10 ipsec-isakmp
> set peer 62.7.1.10
> set transform-set trans
> match address 110
>!
>interface Tunnel10
> ip address 10.10.1.1 255.255.0.0
> no ip directed-broadcast
> tunnel source 62.9.3.3
> tunnel destination 62.7.1.10
> crypto map toR2
>!
>!interface Ethernet2/0
> ip address 62.9.3.3 255.255.0.0
> no ip redirects
> no ip directed-broadcast
> crypto map toR2
>!
>access-list 110 permit ip host 62.9.3.3 host 62.7.1.10
>
>R2:
>
>!
>ip nat inside source static 2.2.2.1 62.7.1.10
>!
>!
>crypto isakmp policy 10
> authentication pre-share
>crypto isakmp key sh-key address 62.9.3.3
>!
>!
>crypto ipsec transform-set trans esp-des esp-md5-hmac
>!
> !
> crypto map toR7 10 ipsec-isakmp
> set peer 62.9.3.3
> set transform-set trans
> match address 110
>!
>!!
>interface Tunnel10
> ip address 10.10.1.2 255.255.0.0
> tunnel source 62.7.1.10
> tunnel destination 62.9.3.3
> crypto map toR7
>!
>interface Serial0
> ip address 62.7.1.2 255.255.255.0
> ip nat outside
> no ip mroute-cache
> no fair-queue
> clockrate 64000
> crypto map toR7
>!
>access-list 110 permit ip host 62.7.1.10 host 62.9.3.3
>================================================
>Yours,
>Khaled Nafie
>Network Engineer
>Customer Services
>MCSE,CCDP,CCNP VOICE ACCESS
>NCR Corporation, Kuwait
>Mob.: +965-9872046
>Tel : +965- 2412201, 2412203
>Fax : +965-2413075

• Next message: Morse, Doug W (Doug): "Dlsw and 7500 reboots"
• Previous message: Brian Lodwick: "Re: isis with Frame-Relay interfaces"
• Maybe in reply to: Khalid Nafie: "IPSEC with NAT"
• Next in thread: Ron Royston: "RE: IPSEC with NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:19 GMT-3