From: Tony Schaffran (groupstudy@cconlinelabs.com)
Date: Fri Nov 26 2004 - 17:38:53 GMT-3
Read the link I sent you. You do need the next hop because of the order
that NAT and IPSEC take place.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com <http://www.cconlinelabs.com/>
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: Jason Aarons [mailto:jaarons@hotmail.com]
Sent: Friday, November 26, 2004 12:36 PM
To: groupstudy@cconlinelabs.com; Groupstudy@american-hero.com
Cc: ccielab@groupstudy.com
Subject: RE: IPSec Phase I doesn't happen
I don't think I need a next-hop because it matches in the ip nat static
line;
ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map RUAN
route-map RUAN permit 10
match ip address 121
set ip next-hop 1.1.1.2
I get hit counts on access-list 121, but no hit counts on acl 122 the actual
IPSec post-nat doesn't get any hit counts -jason
>From: "Tony Schaffran" <groupstudy@cconlinelabs.com>
>Reply-To: "Tony Schaffran" <groupstudy@cconlinelabs.com>
>To: "'Larry Roberts'" <Groupstudy@american-hero.com>, "'Jason Aarons'"
<jaarons@hotmail.com>
>CC: <ccielab@groupstudy.com>
>Subject: RE: IPSec Phase I doesn't happen
>Date: Thu, 25 Nov 2004 21:30:02 -0800
>
>You might want to take another look at your config.
>
>You are missing a next hop statement in you route map to a loopback
address.
>
>Take a look at this link, it explains it all.
>
>http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_exam
p
>le09186a0080094634.shtml
>
>
>
>Tony Schaffran
>Network Analyst
>CCIE #11071
>CCNP, CCNA, CCDA,
>NNCDS, NNCSS, CNE, MCSE
>
>www.cconlinelabs.com
>Your #1 choice for online Cisco rack rentals.
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Larry Roberts
>Sent: Thursday, November 25, 2004 7:20 PM
>To: Jason Aarons
>Subject: Re: IPSec Phase I doesn't happen
>
>Have you debugged the isakmp negotiations?
>
>What does "show crypto isakmp sa" give you ?
>
>What does the other side configuration look like?
>
>
>Jason Aarons wrote:
>
> >PC on 10.1.1.50 generates interesting traffic (acl122) to 172.16.16.2,
> >but the IPSec tunnel doesn't get built (no output from debug crypto ipsec
> >sa). TAC is looking at this but can't find what is wrong. The remote
> >network already has a 10.1.1.0 network, so I static nat my end to
> >10.1.2.0 which is ACL 121. This is complex.. Code is 12.3(9b) !
> >crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> >crypto isakmp key <something> address 44.33.148.192
> >!
> >crypto ipsec transform-set TYCO-com esp-3des esp-md5-hmac
> >!
> >crypto map IPSec 10 ipsec-isakmp
> > description sengel@TYCO.com
> > set peer 44.33.148.192
> > set transform-set TYCO-com
> > match address 122
> >!
> >interface Ethernet0
> > ip address 66.109.64.9 255.255.255.240
> >!
> >interface FastEthernet0
> > description connected to Internal LAN
> > ip address 10.1.1.2 255.255.255.0
> > ip nat inside
> >!
> >interface Serial0
> > no ip address
> > encapsulation frame-relay
> >!
> >interface Serial0.1 point-to-point
> > ip address 44.109.64.250 255.255.255.252
> > ip nat outside
> > frame-relay interface-dlci 448 IETF
> > crypto map IPSec
> >!
> >ip nat inside source list 1 interface Serial0.1 overload
> >ip nat inside source static tcp 10.1.1.10 49201 44.109.73.83 49201
> >extendable
> >ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map TYCO
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 Serial0.1
> >!
> >access-list 1 permit 10.1.1.0 0.0.0.255access-list 121 remark Used for
> >IPSEC
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.200.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.15.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.16.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.17.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.18.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.19.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.20.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.101.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.102.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.103.0 0.0.0.255
> >access-list 122 remark Used for IPSEC
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.200.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.15.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.16.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.17.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.18.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.19.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.20.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.100.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.101.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.102.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.103.0 0.0.0.255
> >!
> >route-map TYCO permit 10
> > match ip address 121
> >
> >------------------------------------------------------------------------
> >
> >Rock, jazz, country, soul & more. Find the music you love on MSN Music!
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
_____
Find the music you love on MSN Music. Start downloading now!
<http://g.msn.com/8HMAENUS/2749??PS=47575>
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3