Nat transparency classics

From: Stefan Grey (examplebrain@hotmail.com)
Date: Thu Sep 07 2006 - 16:12:56 ART

• Next message: marc fernandez: "IDS-4210 4.x to 5.x os upgrade."
• Previous message: Mohamed Saeed: "Transiting Non BGP Speaking Devices using Tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello guys. Below is the classical example of nat transparency:

Task:
It is needed to configure the ipsec tunnel between lo0 of R1 and lo0 of R3.
On R2 is configured nat. So the R1 actually peers with the fa0/1 interface
of R2 when making a tunnel with R3.
(lo0) R1(fa0/1)-(fa0/1)R2(fa0/0)-fa(0/0)R3(lo0)

Problem:
The tunnel doesn't form. (I guess it is due Nat transparency problem).

Questions:
1. What should be configured to solve this problem without crypto ipsec
nat-transparency command?? (I actually tried to add different nat entries
but nothing helped).

2. How to solve this problem with crypto ipsec nat-transparency command??
As I understand in the modern IOSs this command is on by default. Why the
tunnel doesn't form then??

My config is below.
Thanks for help again!
hostname R1
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cciesec address 10.10.10.2
no crypto isakmp ccm
!
crypto ipsec transform-set test esp-des esp-sha-hmac
!
crypto map secure 10 ipsec-isakmp
set peer 10.10.10.2
match address 113
!
interface Loopback0
ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
  crypto map secure
!
router rip
version 2
network 10.0.0.0
network 11.0.0.0
no auto-summary
!
!
access-list 113 permit ip 11.11.11.0 0.0.0.255 33.33.33.0 0.0.0.255

hostname R2
!
interface Loopback0
ip address 22.22.22.22 255.255.255.0
!
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
ip nat outside
!
router rip
version 2
network 10.0.0.0
network 20.0.0.0
network 22.0.0.0
no auto-summary
!
ip nat inside source static 20.20.20.3 interface FastEthernet0/1
!
end

hostname R3
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cciesec address 10.10.10.1
!
!crypto ipsec transform-set tset esp-des esp-sha-hmac
!
crypto map secure 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set tset
match address 113
!
interface Loopback0
ip address 33.33.33.33 255.255.255.0
!
interface FastEthernet0/0
ip address 20.20.20.3 255.255.255.0
crypto map secure
!
router rip
version 2
network 20.0.0.0
network 33.0.0.0
!
access-list 113 permit ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255

• Next message: marc fernandez: "IDS-4210 4.x to 5.x os upgrade."
• Previous message: Mohamed Saeed: "Transiting Non BGP Speaking Devices using Tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART