Re: ipsec issue from jack daniels on 2010-03-16 (Ccielab archives 03/2010)

From: jack daniels <jckdaniels12_at_gmail.com>
Date: Tue, 16 Mar 2010 20:14:18 +0530

Hi , DONE :) it was issue with NAT ..... used port based nat for 2.2.2.5 to
1.1.1.1

On Tue, Mar 16, 2010 at 8:09 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Assuming 2.2.2.5 is publicly accessible from the Internet already and you
> need to be able to access the Internet from that host (1.1.1.1) and reach
> other hosts behind the 5.5.5.5 IPSec termination that are not routable or
> pre-translation, then the information I listed below is relevant.
>
>
>
> Here is a Cisco doc that explains the NAT exempt issue youre running into
> from both a firewall and router perspective. If this is the problem youre
> facing, please explain it better with less caps.
>
>
>
> 1.1.1.1 translates to 2.2.2.5 ---- The webs ---- 5.5.5.5 (crypto
> endpoint) --- some other addresses
>
>
>
> access-list 120 permit ip host 1.1.1.1 some other address(es)
>
> ip nat inside source static 1.1.1.1 2.2.2.5 route-map nonatty
>
> access-list 150 deny ip host 1.1.1.1 some other address(es)
>
> route-map nonatty permit 10
>
> match ip add 150
>
>
>
> -ryan
>
>
>
> *From:* jack daniels [mailto:jckdaniels12_at_gmail.com]
> *Sent:* Tuesday, March 16, 2010 10:20 AM
>
> *To:* Ryan West
> *Cc:* Cisco certification
> *Subject:* Re: ipsec issue
>
>
>
> but ryan my issue is diuffrent
>
>
>
>
>
> ISSUE IS -
> monitoring team outside our network access a PC with IP as 2.2.2.5, which
> they are not changing in their NMS.
> But actually PC ip is 1.1.1.1 was earlier given IP 2.2.2.5.....
> Now this PC has IP 1.1.1.1
>
> how will this work now without impacting internet + IP SEC tunnel
>
>
> 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> > ----------------------------------- ipsec termination - 5.5.5.5
>
>
>
> Regards
>
>
>
>
>
> On Tue, Mar 16, 2010 at 6:37 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Re-read below.
>
>
>
> *From:* jack daniels [mailto:jckdaniels12_at_gmail.com]
> *Sent:* Tuesday, March 16, 2010 9:07 AM
> *To:* Ryan West
> *Cc:* Cisco certification
> *Subject:* Re: ipsec issue
>
>
>
> Hi Ryan,
>
>
>
> In my scenario Internet is working with NAT + I'm able to access remote
> server ( IPSEC tunnel setup sucessfully ) ...
>
>
>
> ISSUE IS -
>
> monitoring team outside our network access a PC with IP as 2.2.2.5, which
> they are not changing in their NMS.
>
> But actually PC ip is 1.1.1.1 was earlier given IP 2.2.2.5.....
>
> Now this PC has IP 1.1.1.1
>
>
>
> how will this work now without impacting internet + IP SEC tunnel
>
> 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> > ----------------------------------- ipsec termination - 5.5.5.5
> >
>
>
>
>
>
>
>
> On Tue, Mar 16, 2010 at 6:28 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Jack,
>
>
> > -----Original Message-----
> > Sent: Tuesday, March 16, 2010 8:41 AM
> > To: Cisco certification
> > Subject: Re: ipsec issue
> >
> > Hi Guys to make it simple
> > 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER
> ---INTERNET
> > ----------------------------------- ipsec termination - 5.5.5.5
> >
> > 1.1.1.1 needs acess via ipsec tunnel to 5.5.5.5
> > 1.1.1.1 needs to access internet also
> >
> > These things are happening
> >
> >
> > with my config
> >
> >
> > BUT ISSUE IS SOMEONE FROM OUTSIDE NEEDS TO CONNECT TO 1.1.1.1 , BUT HE
> will
> > give the IP IN HIS PC FOR CONNECTION as 2.2.2.5<<<<<<<<
> >
> >
> >
> >
> > PLEASE SUGGEST ANY SOLUTION FOR SAME.<<<<<<<<<<<<<<<<<<<<<<<<<<<
> >
> >
> >
> > and when for this I put static nat
> >
> > ip nat inside source static 1.1.1.1 2.2.2.5
> > ISSUE - but when I recreate IPSEC tunnel by clearing it doesnt come up.
> >
> >
> > PLEASE SUGGEST ANY SOLUTION FOR SAME.
> >
> >
>
> First of all, I can't really figure out what you're talking about, but it
> sounds like you're on a paid gig and freaking out about a problem you can't
> fix. I think you had the problem figured out earlier when you were using a
> route-map based ip nat inside source static command. You trying to fix a
> basic issue with IPSec tunnels, interesting traffic with static NAT's and
> what to make as part of your NAT exempt rules.
>
> Try looking at the abundance of threads on Cisco's support forum:
>
>
>
https://supportforums.cisco.com/thread/2002986;jsessionid=6B06ACA79DFCABC84D0
93A1ADFDB4CB2.node0
>
> -ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 16 2010 - 20:14:18 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART