From: Chris Larson (clarson52@xxxxxxxx)
Date: Wed Dec 05 2001 - 20:25:12 GMT-3
It is because of the way Cisco processes packets. It will process NAT First
then process a crypto map. So an outgoing packet matching the NAT get's
nat'ed first then hits the crypto map. Same with a packet coming in. It hits
NAT where it is "de-NAT'ed" so to speak then hit's the crypto map.
On a PIX you overcome this by issuing the nat (inside) 0 "ip address or
access-list" This tells the pix not to nat this address and you can use
the private ip's in the crypto map.
The newer IOS codes may have the same thing. The other option is to create
your nat access-list on the router to not NAT those local addresses that you
want to be encrypted.
----- Original Message -----
From: "George Hansen" <HansenG@radiological.com>
To: <ccielab@groupstudy.com>
Cc: <james.lopez@atosorigin.com>
Sent: Wednesday, December 05, 2001 5:04 PM
Subject: Re: Question on Lab 15 - VPN
> There's a tunnel set up, and all the traffic that is to be encrypted is
going over it. Therefore, all traffic will be from the tunnel source IP
(150.100.50.42 ) to the tunnel destination (160.200.77.122).
>
> >>> "Lopez, James" <james.lopez@atosorigin.com> 12/04/01 04:22PM >>>
> Hi Gang,
>
> I'm missing something on encrypted VPN and I just can't seem to understand
> why the access-list on the crypto map is using the Internet IP addresses
> instead of the LAN addresses.
>
> (i.e. on lab 15 - access-list 100 permit ip host 150.100.50.42 host
> 160.200.77.122)
>
> Since the access-list is used to identify which traffic is encrypted, why
> isn't it something like:
>
> access-list 101 permit ip 10.0.0.0 0.255.255.255 10.5.8.0 0.0.0.255 on
R8?
>
>
> My current configuration is exactly like the answer sheet and I have
> searched the archives and CCO and just can't seem to see the light.
>
>
> > TIA,
> > JL
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3