RE: IPSec/NAT

From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Thu Oct 25 2001 - 19:43:13 GMT-3

• Next message: Brian Hescock: "need some input"
• Previous message: Yonkerbonk: "Re: Simple pinging problem"
• Maybe in reply to: Macky Lee: "IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi, There,

It should work as i have work it out before. Please
see the following
http://www.fatkid.com/html/394_ipsec-nat.html

It has solutions. Even though fatkid is not a good
reference. But I have done this and it works well.

REgards

michael

--- Khalid Nafie <knafie@ncr.com.kw> wrote:
> I can c something wrong here, which is that u r
> pointing to the whole
> segement "200.100.100.1" also u r making nating on
> only one address of it
> 200.100.100.1 static natting, in this way the two
> access lists are not
> mirroring, i recommend that u make the ACL to point
> to the r4's serial and
> the natted IP address only.
> let me know if it worked.
> thx
>
> -----Original Message-----
> From: Macky Lee [mailto:Macky.Lee@telecom.co.nz]
> Sent: Wednesday, October 24, 2001 8:24 PM
> To: ccielab@groupstudy.com
> Subject: IPSec/NAT
>
>
> Hi all,
>
> Could someone please tell me what have I don't wrong
> in the following Lab
> setup?
>
> R1---R2---R3---R4
>
> R2 have NATapplied (100.1.1.1--->200.100.100.1)
> R1 is trying to setup an IPSec tunnel with R4
>
> Ping was fine before the IPsec configure was put in.
>
> Here are the configuration.
>
> R1
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> lifetime 10000
> crypto isakmp key Ciscotest address 200.200.200.4
> /----(R4 serial0)
> !
> crypto ipsec transform-set Ciscotran esp-des
> esp-md5-hmac
> !
> crypto map test 10 ipsec-isakmp
> set peer 200.200.200.4 -----(R4 serial0)
> set transform-set Ciscotran
> match address 101
> !
> interface Serial0
> ip address 100.1.1.1 255.255.255.0
> encapsulation ppp
> no fair-queue
> clockrate 64000
> crypto map test
>
> access-list 101 permit ip 100.1.1.0 0.0.0.255
> 200.200.200.0 0.0.0.255
>
> R4
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> lifetime 10000
> crypto isakmp key Ciscotest address
> 200.100.100.1----- (R1 serial0 after
> NAT)
> !
> !
> crypto ipsec transform-set Ciscotran esp-des
> esp-md5-hmac
> !
> crypto map test 10 ipsec-isakmp
> set peer 200.100.100.1----- (R1 serial0 after NAT)
> set transform-set Ciscotran
> match address 101
> !
> interface Serial0
> ip address 200.200.200.4 255.255.255.0
> encapsulation ppp
> no fair-queue
> crypto map test
> !
> access-list 101 permit ip 200.200.200.0 0.0.0.255
> 200.100.100.0 0.0.0.255
>
> Regards,
>
> Macky
>

• Next message: Brian Hescock: "need some input"
• Previous message: Yonkerbonk: "Re: Simple pinging problem"
• Maybe in reply to: Macky Lee: "IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:25 GMT-3