Re: Question on Lab 15 - VPN

From: Chris Larson (clarson52@xxxxxxxx)
Date: Wed Dec 05 2001 - 20:49:39 GMT-3

• Next message: W. Alan Robertson: "Re: When to use "always""
• Previous message: CCIE Candidate: "ISIS L1 router's default route"
• Maybe in reply to: Lopez, James: "Question on Lab 15 - VPN"
• Next in thread: Chris Larson: "Re: Question on Lab 15 - VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Sorry, I missed Georges response my first time through. That is another weay
to put it and is probably more accurate as I didn't see anywhere in your
post that you were using NAT.

----- Original Message -----
From: "Chris Larson" <clarson52@home.com>
To: "George Hansen" <HansenG@radiological.com>; <ccielab@groupstudy.com>
Cc: <james.lopez@atosorigin.com>
Sent: Wednesday, December 05, 2001 6:25 PM
Subject: Re: Question on Lab 15 - VPN

> It is because of the way Cisco processes packets. It will process NAT
First
> then process a crypto map. So an outgoing packet matching the NAT get's
> nat'ed first then hits the crypto map. Same with a packet coming in. It
hits
> NAT where it is "de-NAT'ed" so to speak then hit's the crypto map.
>
> On a PIX you overcome this by issuing the nat (inside) 0 "ip address or
> access-list" This tells the pix not to nat this address and you can use
> the private ip's in the crypto map.
>
> The newer IOS codes may have the same thing. The other option is to create
> your nat access-list on the router to not NAT those local addresses that
you
> want to be encrypted.
>
>
> ----- Original Message -----
> From: "George Hansen" <HansenG@radiological.com>
> To: <ccielab@groupstudy.com>
> Cc: <james.lopez@atosorigin.com>
> Sent: Wednesday, December 05, 2001 5:04 PM
> Subject: Re: Question on Lab 15 - VPN
>
>
> > There's a tunnel set up, and all the traffic that is to be encrypted is
> going over it. Therefore, all traffic will be from the tunnel source IP
> (150.100.50.42 ) to the tunnel destination (160.200.77.122).
> >
> > >>> "Lopez, James" <james.lopez@atosorigin.com> 12/04/01 04:22PM >>>
> > Hi Gang,
> >
> > I'm missing something on encrypted VPN and I just can't seem to
understand
> > why the access-list on the crypto map is using the Internet IP addresses
> > instead of the LAN addresses.
> >
> > (i.e. on lab 15 - access-list 100 permit ip host 150.100.50.42 host
> > 160.200.77.122)
> >
> > Since the access-list is used to identify which traffic is encrypted,
why
> > isn't it something like:
> >
> > access-list 101 permit ip 10.0.0.0 0.255.255.255 10.5.8.0 0.0.0.255 on
> R8?
> >
> >
> > My current configuration is exactly like the answer sheet and I have
> > searched the archives and CCO and just can't seem to see the light.
> >
> >
> > > TIA,
> > > JL

• Next message: W. Alan Robertson: "Re: When to use "always""
• Previous message: CCIE Candidate: "ISIS L1 router's default route"
• Maybe in reply to: Lopez, James: "Question on Lab 15 - VPN"
• Next in thread: Chris Larson: "Re: Question on Lab 15 - VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3