From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Thu Oct 18 2001 - 20:03:32 GMT-3
Hi, there, thank you for your help, problem solved.
But I have some questions concerning IPSec and NAT.
1)who knows where can I get some information
concerning what packet is encasulated etc. or the
frame format of IPSec??
2) for the same scenario,
http://www.fatkid.com/html/394_ipsec-nat.html
when you enable access list on R5 or R3, it will
permit the remote site subnet to get encrypted,
here in R5, it's access-list 101 permit ip 10.1.0.0
0.0.255.255 10.2.0.0 0.0.255.255.
but when I ping from R3 (source 10.2.2.3, loopback) to
R5(10.1.2.5, loopback),The source address is 10.2.2.3
(for example). the destination address will be the
peer (VPN peer)'s IP address?? or destination address
10.1.2.5 will be encapsulated inside the new
destination address which is peer's destinatio address
, in this case it's 207.122.1.5? Am I right?
It the above is true, then it means any source within
subnet 10.2.0.0 0.0.255.255 will be encapsulated
inside the destination 207.122.1.5?
When teh ping packet from R3 loopback reach R2, R2
(NAT) will change the destination address from
207.122.1.5 back to 10.1.1.5 (ethernet of R5). when
the packet reach R5, R5 is directly connected to
10.1.2.5 (which is encapsulated inside 10.1.1.5 )and
so the packet is reached, Am I right?
Any help will be appreciated!
thanks and regards
michael
if I am right, then R3 will send the packet with
source 10.2.2.3 and destination 207.122.1.5, when it
comes to R4, R4 will send to R1 because R4 has the
default route point to R1 and R1 will send the packet
to R2. at this point, R2 ( the NAT) will translate the
destination to 10.1.1.5 (R5's ethernet interface).
Because R5 is configured
cket goes to R4, R4 will change the source address? or
encasulate the source address with it's own address
--- Ron Royston <ccie6824@hotmail.com> wrote:
> You don't have a crypto-map applied to an interface
> on R3, or you don't show
> it to us. Your ACL in the crypto-map is what
> decides what gets
> tunneled/encrypted. If you are using IPSec only (as
> opposed to IPSec w/ GRE
> tunneling), the ACL should permit network-to-network
> traffic. If this ACL
> is different on the peer, i.e., if it's not a mirror
> image, the IPSec will
> probably fail.
>
>
> >From: michael robertson <michael_w_2ca@yahoo.ca>
> >Reply-To: michael robertson
> <michael_w_2ca@yahoo.ca>
> >To: "Rogell, Dennis" <Dennis_Rogell@milgo.com>
> >CC: ccielab@groupstudy.com
> >Subject: RE: GET STUCKED AT FATKID 394 IPSEC-NAT
> (with configuration)
> >Date: Thu, 18 Oct 2001 17:03:13 -0400 (EDT)
> >
> >Hi, group, The following shows my configs for the
> >IPSEC 394 (FATKID), I think that the solution
> gives
> >two useless default router for R2 and R4, so I
> delete
> >it in my config:
> >
> >
> >-----------------------------------------------
> >R1
> >
> >
> >
> >interface Serial0/0
> > ip address 207.122.1.1 255.255.255.240
> > no fair-queue
> > clockrate 2000000
> >!
> >
> >
> >interface Serial0/1
> > ip address 207.122.2.1 255.255.255.240
> > clockrate 2000000
> >
> >
> >
> >-------------
> >R2
> >
> >
> >interface FastEthernet1/0
> > ip address 10.1.1.2 255.255.255.0
> > ip nat inside
> > duplex auto
> > speed auto
> >!
> >interface Serial1/0
> > ip address 207.122.1.2 255.255.255.240
> > ip nat outside
> > no fair-queue
> >!
> >interface FastEthernet1/1
> > no ip address
> > shutdown
> > --More--
> >
> >ip route 0.0.0.0 0.0.0.0 207.122.1.1
> >no ip http server
> >!
> >!
> >-----------------------
> >
> >R3
> >
> >crypto isakmp policy 1
> > authentication pre-share
> >crypto isakmp key cisco address 207.122.1.5
> >!
> >!
> >crypto ipsec transform-set myset1 esp-des
> esp-md5-hmac
> >!
> >crypto map tor5 10 ipsec-isakmp
> > set peer 207.122.1.5
> > set transform-set myset1
> > match address 101
> >!
> >!
> >!
> >!
> >!
> >interface Loopback0
> > ip address 10.2.2.3 255.255.255.0
> > nterface TokenRing0/0
> > ip address 10.2.1.3 255.255.255.0
> > ring-speed 16
> >
> >
> >!
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 10.2.1.4
> >no ip http server
> >!
> >access-list 101 permit ip 10.2.0.0 0.0.255.255
> >10.1.0.0 0.0.255.255
> >access-list 101 permit ip host 207.122.1.5 10.1.0.0
> >0.0.255.255
> >!
> >!
> >
> >------------------------------------
> >
> >
> >
> >R4
> >
> >
> >interface Serial1/0
> > ip address 207.122.2.4 255.255.255.240
> > ip nat outside
> > no fair-queue
> >!
> >interface TokenRing1/0
> > ip address 10.2.1.4 255.255.255.0
> > ip nat inside
> >
> >
> >interface Serial1/1
> > no ip address
> > shutdown
> > clockrate 2000000
> >!
> >ip nat inside source static 10.2.1.3 207.122.2.3
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 207.122.2.1
> >no ip http server
> >!
> >!
> >
> >
> >
> >----------------
> >
> >R5
> >
> >
> >!
> >crypto isakmp policy 1
> > authentication pre-share
> >crypto isakmp key cisco address 207.122.2.3
> >!
> >!
> >crypto ipsec transform-set myset1 esp-des
> esp-md5-hmac
> >!
> >crypto map tor3 10 ipsec-isakmp
> > set peer 207.122.2.3
> > set transform-set myset1
> > match address 101
> >!
> >!
> >!
> >!
> >!
> >interface Loopback0
> > ip address 10.1.2.5 255.255.255.0
> >
> >
> >interface FastEthernet1/0
> > ip address 10.1.1.5 255.255.255.0
> > duplex auto
> > speed auto
> > crypto map tor3
> >!
> >
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 10.1.1.2
> >no ip http server
> >!
> >access-list 101 permit ip 10.1.0.0 0.0.255.255
> >10.2.0.0 0.0.255.255
> >!
> >!
> >
> >------------------------------------------
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >--- "Rogell, Dennis" <Dennis_Rogell@milgo.com>
> wrote:
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:21 GMT-3