From: Khalid Nafie (knafie@xxxxxxxxxx)
Date: Thu Oct 25 2001 - 07:43:36 GMT-3
I can c something wrong here, which is that u r pointing to the whole
segement "200.100.100.1" also u r making nating on only one address of it
200.100.100.1 static natting, in this way the two access lists are not
mirroring, i recommend that u make the ACL to point to the r4's serial and
the natted IP address only.
let me know if it worked.
thx
-----Original Message-----
From: Macky Lee [mailto:Macky.Lee@telecom.co.nz]
Sent: Wednesday, October 24, 2001 8:24 PM
To: ccielab@groupstudy.com
Subject: IPSec/NAT
Hi all,
Could someone please tell me what have I don't wrong in the following Lab
setup?
R1---R2---R3---R4
R2 have NATapplied (100.1.1.1--->200.100.100.1)
R1 is trying to setup an IPSec tunnel with R4
Ping was fine before the IPsec configure was put in.
Here are the configuration.
R1
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 10000
crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
!
crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
set peer 200.200.200.4 -----(R4 serial0)
set transform-set Ciscotran
match address 101
!
interface Serial0
ip address 100.1.1.1 255.255.255.0
encapsulation ppp
no fair-queue
clockrate 64000
crypto map test
access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
R4
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 10000
crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0 after
NAT)
!
!
crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
set peer 200.100.100.1----- (R1 serial0 after NAT)
set transform-set Ciscotran
match address 101
!
interface Serial0
ip address 200.200.200.4 255.255.255.0
encapsulation ppp
no fair-queue
crypto map test
!
access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0 0.0.0.255
Regards,
Macky
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:24 GMT-3