From: Jason Aarons (jaarons@hotmail.com)
Date: Fri Nov 26 2004 - 17:36:21 GMT-3
I don't think I need a next-hop because it matches in the ip nat static
line;
ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map RUAN
route-map RUAN permit 10
match ip address 121
set ip next-hop 1.1.1.2
I get hit counts on access-list 121, but no hit counts on acl 122 the
actual IPSec post-nat doesn't get any hit counts -jason
>From: "Tony Schaffran" <groupstudy@cconlinelabs.com> >Reply-To: "Tony
Schaffran" <groupstudy@cconlinelabs.com> >To: "'Larry Roberts'"
<Groupstudy@american-hero.com>, "'Jason Aarons'" <jaarons@hotmail.com>
>CC: <ccielab@groupstudy.com> >Subject: RE: IPSec Phase I doesn't happen
>Date: Thu, 25 Nov 2004 21:30:02 -0800 > >You might want to take another
look at your config. > >You are missing a next hop statement in you route
map to a loopback address. > >Take a look at this link, it explains it
all. >
>http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp
>le09186a0080094634.shtml > > > >Tony Schaffran >Network Analyst >CCIE
#11071 >CCNP, CCNA, CCDA, >NNCDS, NNCSS, CNE, MCSE >
>www.cconlinelabs.com >Your #1 choice for online Cisco rack rentals. > >
>-----Original Message----- >From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of >Larry Roberts >Sent:
Thursday, November 25, 2004 7:20 PM >To: Jason Aarons >Cc:
ccielab@groupstudy.com >Subject: Re: IPSec Phase I doesn't happen > >Have
you debugged the isakmp negotiations? > >What does "show crypto isakmp
sa" give you ? > >What does the other side configuration look like? > >
>Jason Aarons wrote: > > >PC on 10.1.1.50 generates interesting traffic
(acl122) to 172.16.16.2, > >but the IPSec tunnel doesn't get built (no
output from debug crypto ipsec > >sa). TAC is looking at this but can't
find what is wrong. The remote > >network already has a 10.1.1.0
network, so I static nat my end to > >10.1.2.0 which is ACL 121. This is
complex.. Code is 12.3(9b) ! > >crypto isakmp policy 10 > > encr 3des > >
hash md5 > > authentication pre-share > > group 2 > >crypto isakmp key
<something> address 44.33.148.192 > >! > >crypto ipsec transform-set
TYCO-com esp-3des esp-md5-hmac > >! > >crypto map IPSec 10 ipsec-isakmp >
> description sengel@TYCO.com > > set peer 44.33.148.192 > > set
transform-set TYCO-com > > match address 122 > >! > >interface Ethernet0
> > ip address 66.109.64.9 255.255.255.240 > >! > >interface
FastEthernet0 > > description connected to Internal LAN > > ip address
10.1.1.2 255.255.255.0 > > ip nat inside > >! > >interface Serial0 > > no
ip address > > encapsulation frame-relay > >! > >interface Serial0.1
point-to-point > > ip address 44.109.64.250 255.255.255.252 > > ip nat
outside > > frame-relay interface-dlci 448 IETF > > crypto map IPSec > >!
> >ip nat inside source list 1 interface Serial0.1 overload > >ip nat
inside source static tcp 10.1.1.10 49201 44.109.73.83 49201 > >extendable
> >ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map
TYCO > >ip classless > >ip route 0.0.0.0 0.0.0.0 Serial0.1 > >! >
>access-list 1 permit 10.1.1.0 0.0.0.255access-list 121 remark Used for >
>IPSEC > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.200.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.15.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.16.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.17.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.18.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.19.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.20.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.100.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.101.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.102.0
0.0.0.255 > >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.103.0
0.0.0.255 > >access-list 122 remark Used for IPSEC > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.200.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.15.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.16.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.17.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.18.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.19.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 172.16.20.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 192.168.100.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 192.168.101.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 192.168.102.0 0.0.0.255 > >access-list 122
permit ip 10.1.2.0 0.0.0.255 192.168.103.0 0.0.0.255 > >! > >route-map
TYCO permit 10 > > match ip address 121 > > >
>------------------------------------------------------------------------
> > > >Rock, jazz, country, soul & more. Find the music you love on MSN
Music! > > >
>_______________________________________________________________________
> >Subscription information may be found at: >
>http://www.groupstudy.com/list/CCIELab.html >
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html >
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------
Find the music you love on MSN Music. Start downloading now!
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3