RE: ipsec issue

Assuming 2.2.2.5 is publicly accessible from the Internet already and you need
to be able to access the Internet from that host (1.1.1.1) and reach other
hosts behind the 5.5.5.5 IPSec termination that are not routable or
pre-translation, then the information I listed below is relevant.

Here is a Cisco doc that explains the NAT exempt issue you're running into
from both a firewall and router perspective. If this is the problem you're
facing, please explain it better with less caps.

1.1.1.1 translates to 2.2.2.5 ---- The webs ---- 5.5.5.5 (crypto endpoint)
--- some other addresses

access-list 120 permit ip host 1.1.1.1 some other address(es)
ip nat inside source static 1.1.1.1 2.2.2.5 route-map nonatty
access-list 150 deny ip host 1.1.1.1 some other address(es)
route-map nonatty permit 10
match ip add 150

-ryan

From: jack daniels [mailto:jckdaniels12_at_gmail.com]
Sent: Tuesday, March 16, 2010 10:20 AM
To: Ryan West
Cc: Cisco certification
Subject: Re: ipsec issue

but ryan my issue is diuffrent

ISSUE IS -
monitoring team outside our network access a PC with IP as 2.2.2.5, which
they are not changing in their NMS.
But actually PC ip is 1.1.1.1 was earlier given IP 2.2.2.5.....
Now this PC has IP 1.1.1.1

how will this work now without impacting internet + IP SEC tunnel

1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> ----------------------------------- ipsec termination - 5.5.5.5

Regards

On Tue, Mar 16, 2010 at 6:37 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Re-read below.

From: jack daniels
[mailto:jckdaniels12_at_gmail.com<mailto:jckdaniels12_at_gmail.com>]
Sent: Tuesday, March 16, 2010 9:07 AM
To: Ryan West
Cc: Cisco certification
Subject: Re: ipsec issue

Hi Ryan,

In my scenario Internet is working with NAT + I'm able to access remote
server ( IPSEC tunnel setup sucessfully ) ...

ISSUE IS -
monitoring team outside our network access a PC with IP as 2.2.2.5, which
they are not changing in their NMS.
But actually PC ip is 1.1.1.1 was earlier given IP 2.2.2.5.....
Now this PC has IP 1.1.1.1

how will this work now without impacting internet + IP SEC tunnel

1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> ----------------------------------- ipsec termination - 5.5.5.5
>

On Tue, Mar 16, 2010 at 6:28 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Jack,

> -----Original Message-----
> Sent: Tuesday, March 16, 2010 8:41 AM
> To: Cisco certification
> Subject: Re: ipsec issue
>
> Hi Guys to make it simple
> 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER
---INTERNET
> ----------------------------------- ipsec termination - 5.5.5.5
>
> 1.1.1.1 needs acess via ipsec tunnel to 5.5.5.5
> 1.1.1.1 needs to access internet also
>
> These things are happening
>
>
> with my config
>
>
> BUT ISSUE IS SOMEONE FROM OUTSIDE NEEDS TO CONNECT TO 1.1.1.1 , BUT HE will
> give the IP IN HIS PC FOR CONNECTION as 2.2.2.5<<<<<<<<
>
>
>
>
> PLEASE SUGGEST ANY SOLUTION FOR SAME.<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
>
>
> and when for this I put static nat
>
> ip nat inside source static 1.1.1.1 2.2.2.5
> ISSUE - but when I recreate IPSEC tunnel by clearing it doesnt come up.
>
>
> PLEASE SUGGEST ANY SOLUTION FOR SAME.
>
>
First of all, I can't really figure out what you're talking about, but it
sounds like you're on a paid gig and freaking out about a problem you can't
fix. I think you had the problem figured out earlier when you were using a
route-map based ip nat inside source static command. You trying to fix a
basic issue with IPSec tunnels, interesting traffic with static NAT's and what
to make as part of your NAT exempt rules.

Try looking at the abundance of threads on Cisco's support forum:

https://supportforums.cisco.com/thread/2002986;jsessionid=6B06ACA79DFCABC84D0
93A1ADFDB4CB2.node0

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 16 2010 - 14:39:57 ART