From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Thu Oct 18 2001 - 20:13:21 GMT-3
Hi, sorry, the previous message has some problem, this
is the modified one.
> Hi, there, thank you for your help, problem solved.
>
> But I have some questions concerning IPSec and NAT.
>
> 1)who knows where can I get some information
> concerning what packet is encasulated etc. or the
> frame format of IPSec??
>
>
> 2) for the same scenario,
> http://www.fatkid.com/html/394_ipsec-nat.html
>
> when you enable access list on R5 or R3, it will
> permit the remote site subnet to get encrypted,
>
> here in R5, it's access-list 101 permit ip 10.1.0.0
> 0.0.255.255 10.2.0.0 0.0.255.255.
>
> but when I ping from R3 (source 10.2.2.3, loopback)
> to
> R5(10.1.2.5, loopback),The source address is
> 10.2.2.3
> (for example). the destination address will be the
> peer (VPN peer)'s IP address?? or destination
> address
> 10.1.2.5 will be encapsulated inside the new
> destination address which is peer's destinatio
> address
> , in this case it's 207.122.1.5? Am I right?
>
if I am right, then R3 will send the packet with
> source 10.2.2.3 and destination 207.122.1.5, when it
> comes to R4, R4 will send to R1 because R4 has the
> default route point to R1 and R1 will send the
> packet
> to R2. at this point, R2 ( the NAT) will translate
> the
> destination to 10.1.1.5 (R5's ethernet interface).
> Because R5 is configured
> cket goes to R4, R4 will change the source address?
> or
> encasulate the source address with it's own address
>
> It the above is true, then it means any source
> within
> subnet 10.2.0.0 0.0.255.255 will be encapsulated
> inside the destination 207.122.1.5?
>
> When teh ping packet from R3 loopback reach R2, R2
> (NAT) will change the destination address from
> 207.122.1.5 back to 10.1.1.5 (ethernet of R5). when
> the packet reach R5, R5 is directly connected to
> 10.1.2.5 (which is encapsulated inside 10.1.1.5 )and
> so the packet is reached, Am I right?
>
> Any help will be appreciated!
>
> thanks and regards
>
>
> michael
>
>
> >
> --- Ron Royston <ccie6824@hotmail.com> wrote:
> > You don't have a crypto-map applied to an
> interface
> > on R3, or you don't show
> > it to us. Your ACL in the crypto-map is what
> > decides what gets
> > tunneled/encrypted. If you are using IPSec only
> (as
> > opposed to IPSec w/ GRE
> > tunneling), the ACL should permit
> network-to-network
> > traffic. If this ACL
> > is different on the peer, i.e., if it's not a
> mirror
> > image, the IPSec will
> > probably fail.
> >
> >
> > >From: michael robertson <michael_w_2ca@yahoo.ca>
> > >Reply-To: michael robertson
> > <michael_w_2ca@yahoo.ca>
> > >To: "Rogell, Dennis" <Dennis_Rogell@milgo.com>
> > >CC: ccielab@groupstudy.com
> > >Subject: RE: GET STUCKED AT FATKID 394 IPSEC-NAT
> > (with configuration)
> > >Date: Thu, 18 Oct 2001 17:03:13 -0400 (EDT)
> > >
> > >Hi, group, The following shows my configs for the
> > >IPSEC 394 (FATKID), I think that the solution
> > gives
> > >two useless default router for R2 and R4, so I
> > delete
> > >it in my config:
> > >
> > >
> > >-----------------------------------------------
> > >R1
> > >
> > >
> > >
> > >interface Serial0/0
> > > ip address 207.122.1.1 255.255.255.240
> > > no fair-queue
> > > clockrate 2000000
> > >!
> > >
> > >
> > >interface Serial0/1
> > > ip address 207.122.2.1 255.255.255.240
> > > clockrate 2000000
> > >
> > >
> > >
> > >-------------
> > >R2
> > >
> > >
> > >interface FastEthernet1/0
> > > ip address 10.1.1.2 255.255.255.0
> > > ip nat inside
> > > duplex auto
> > > speed auto
> > >!
> > >interface Serial1/0
> > > ip address 207.122.1.2 255.255.255.240
> > > ip nat outside
> > > no fair-queue
> > >!
> > >interface FastEthernet1/1
> > > no ip address
> > > shutdown
> > > --More--
> > >
> > >ip route 0.0.0.0 0.0.0.0 207.122.1.1
> > >no ip http server
> > >!
> > >!
> > >-----------------------
> > >
> > >R3
> > >
> > >crypto isakmp policy 1
> > > authentication pre-share
> > >crypto isakmp key cisco address 207.122.1.5
> > >!
> > >!
> > >crypto ipsec transform-set myset1 esp-des
> > esp-md5-hmac
> > >!
> > >crypto map tor5 10 ipsec-isakmp
> > > set peer 207.122.1.5
> > > set transform-set myset1
> > > match address 101
> > >!
> > >!
> > >!
> > >!
> > >!
> > >interface Loopback0
> > > ip address 10.2.2.3 255.255.255.0
> > > nterface TokenRing0/0
> > > ip address 10.2.1.3 255.255.255.0
> > > ring-speed 16
> > >
> > >
> > >!
> > >ip classless
> > >ip route 0.0.0.0 0.0.0.0 10.2.1.4
> > >no ip http server
> > >!
> > >access-list 101 permit ip 10.2.0.0 0.0.255.255
> > >10.1.0.0 0.0.255.255
> > >access-list 101 permit ip host 207.122.1.5
> 10.1.0.0
> > >0.0.255.255
> > >!
> > >!
> > >
> > >------------------------------------
> > >
> > >
> > >
> > >R4
> > >
> > >
> > >interface Serial1/0
> > > ip address 207.122.2.4 255.255.255.240
> > > ip nat outside
> > > no fair-queue
> > >!
> > >interface TokenRing1/0
> > > ip address 10.2.1.4 255.255.255.0
> > > ip nat inside
> > >
> > >
> > >interface Serial1/1
> > > no ip address
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:21 GMT-3