RE: ipsec issue from sameer inam on 2010-03-16 (Ccielab archives 03/2010)

From: sameer inam <i_sameer_at_hotmail.com>
Date: Tue, 16 Mar 2010 12:34:29 +0000

please send the output result of these commands

debug crypto isakmp

debug crypto ipsec

debug crypt engine

Regards,

Sameer

CCNP , MSCE

> Date: Tue, 16 Mar 2010 17:22:50 +0530
> Subject: ipsec issue
> From: jckdaniels12_at_gmail.com
> To: ccielab_at_groupstudy.com
>
> Hi guys,
>
>
> Please help me with a issue
>
> 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> ----------------------------------- ipsec termination - 5.5.5.5
>
>
> Requiremnets -
> 1) 1.1.1.1 access server 5.5.5.5 ( server ) after establishing ipsec
> 2) 1.1.1.1 access internet
> 3) 2.2.2.0/24 nating to a public ip given by ISP done on ADSL router
> 4) People from outside should access 2.2.2.5<<<<this ip should point to
> 1.1.1.1
>
>
> config ---
>
>
> ip cef
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key EX(epT!0n21Iye address 100.100.100.100
> !
> crypto ipsec security-association lifetime seconds 1800
> !
> crypto ipsec transform-set TEST esp-3des esp-sha-hmac
> !
> crypto map VPN 20 ipsec-isakmp
> set peer 100.100.100.100
> set security-association lifetime seconds 86400
> set transform-set TEST
> match address 101
> archive
> log config
> hidekeys
> !
> !
> !
> !
> interface FastEthernet0
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface FastEthernet4
> ip address 2.2.2.2 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map VPN
> !
> interface Vlan1
> ip address 1.1.1.2 255.255.255.240
> ip nat inside
> ip virtual-reassembly
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 2.2.2.1
> !
> no ip http server
> no ip http secure-server
> ip nat inside source route-map nonat interface FastEthernet4 overload
> ip nat inside source static 1.1.1.1 2.2.2.5
> !
> access-list 101 permit ip 1.1.1.0 0.0.0.255 host 5.5.5.5
> access-list 102 deny ip 1.1.1.0 0.0.0.255 host 5.5.5.5
> access-list 102 permit ip 1.1.1.0 0.0.0.255 any
> !
> !
> route-map nonat permit 10
> match ip address 102
> !
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
Received on Tue Mar 16 2010 - 12:34:29 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART