From: Chris Larson (clarson52@xxxxxxxx)
Date: Thu Dec 06 2001 - 00:46:40 GMT-3
Actually looking back on Lab 15, I believe it is because of NAT and how the
router processes it.
Which got me wondering about the tunnel theory and I don't remember ever
having to do anything for straight crypto with no NAT so I tried it in the
lab, and it works fine using the regular inside addresses in the crypto
access-list. Until you add NAT and then the processing thing comes into
play and I had to use the NAT addresses instead.
----- Original Message -----
From: "Chris Larson" <clarson52@home.com>
To: "Chris Larson" <clarson52@home.com>; "George Hansen"
<HansenG@radiological.com>; <ccielab@groupstudy.com>
Cc: <james.lopez@atosorigin.com>
Sent: Wednesday, December 05, 2001 6:49 PM
Subject: Re: Question on Lab 15 - VPN
> Sorry, I missed Georges response my first time through. That is another
weay
> to put it and is probably more accurate as I didn't see anywhere in your
> post that you were using NAT.
>
>
>
> ----- Original Message -----
> From: "Chris Larson" <clarson52@home.com>
> To: "George Hansen" <HansenG@radiological.com>; <ccielab@groupstudy.com>
> Cc: <james.lopez@atosorigin.com>
> Sent: Wednesday, December 05, 2001 6:25 PM
> Subject: Re: Question on Lab 15 - VPN
>
>
> > It is because of the way Cisco processes packets. It will process NAT
> First
> > then process a crypto map. So an outgoing packet matching the NAT get's
> > nat'ed first then hits the crypto map. Same with a packet coming in. It
> hits
> > NAT where it is "de-NAT'ed" so to speak then hit's the crypto map.
> >
> > On a PIX you overcome this by issuing the nat (inside) 0 "ip address or
> > access-list" This tells the pix not to nat this address and you can
use
> > the private ip's in the crypto map.
> >
> > The newer IOS codes may have the same thing. The other option is to
create
> > your nat access-list on the router to not NAT those local addresses that
> you
> > want to be encrypted.
> >
> >
> > ----- Original Message -----
> > From: "George Hansen" <HansenG@radiological.com>
> > To: <ccielab@groupstudy.com>
> > Cc: <james.lopez@atosorigin.com>
> > Sent: Wednesday, December 05, 2001 5:04 PM
> > Subject: Re: Question on Lab 15 - VPN
> >
> >
> > > There's a tunnel set up, and all the traffic that is to be encrypted
is
> > going over it. Therefore, all traffic will be from the tunnel source IP
> > (150.100.50.42 ) to the tunnel destination (160.200.77.122).
> > >
> > > >>> "Lopez, James" <james.lopez@atosorigin.com> 12/04/01 04:22PM >>>
> > > Hi Gang,
> > >
> > > I'm missing something on encrypted VPN and I just can't seem to
> understand
> > > why the access-list on the crypto map is using the Internet IP
addresses
> > > instead of the LAN addresses.
> > >
> > > (i.e. on lab 15 - access-list 100 permit ip host 150.100.50.42 host
> > > 160.200.77.122)
> > >
> > > Since the access-list is used to identify which traffic is encrypted,
> why
> > > isn't it something like:
> > >
> > > access-list 101 permit ip 10.0.0.0 0.255.255.255 10.5.8.0 0.0.0.255
on
> > R8?
> > >
> > >
> > > My current configuration is exactly like the answer sheet and I have
> > > searched the archives and CCO and just can't seem to see the light.
> > >
> > >
> > > > TIA,
> > > > JL
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3