Re: IPSEC with NAT

Hi,

I tried EZVPN & DMVPN, both works when I LAB it up.
But both of these doesn't work in LIVE environment. The only difference I
have noticed in the LIVE environment is the presence of L2TP session at the
spoke/client router with the 3G enabler(Teldat) device.

In case of DMVPN, the GRE/NHRP everything works fine initially.
Then when I enable tunnel protection everything stops working.

Do I need do any additional config while running EZVPN or DMVPN when L2TP is
involved?

Thanks,
DN

On Sat, Jul 31, 2010 at 9:00 PM, Paul Negron <negron.paul_at_gmail.com> wrote:

> DMVPN will support the changes of NAT on the CE routers and maintain the
> PRIVATE service. I apologize if I missed a part of the conversation. Just
> my
> 2 cents.
>
> Paul
> --
> Paul Negron
> CCIE# 14846 CCSI# 22752
> Senior Technical Instructor
> www.micronicstraining.com
>
>
>
> > From: Tyson Scott <tscott_at_ipexpert.com>
> > Reply-To: Tyson Scott <tscott_at_ipexpert.com>
> > Date: Sat, 31 Jul 2010 14:42:55 -0400
> > To: 'DN817' <ndheeraj.ccie_at_googlemail.com>, 'Cisco certification'
> > <ccielab_at_groupstudy.com>
> > Subject: RE: IPSEC with NAT
> >
> > DN,
> >
> > You will need to configure this using a client/Server relationship. The
> 3G
> > device will need to be configured as a EZVPN client with the public
> device
> > acting as a EZVPN server. You cannot establish a L2L when you don't
> control
> > what is happening with NAT. It could change at any time. Plus I would
> > presume they are doing PAT and not NAT.
> >
> > Regards,
> >
> > Tyson Scott - CCIE #13513 R&S, Security, and SP
> > Managing Partner / Sr. Instructor - IPexpert, Inc.
> > Mailto: tscott_at_ipexpert.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > DN817
> > Sent: Saturday, July 31, 2010 8:13 AM
> > To: Cisco certification
> > Subject: Re: IPSEC with NAT
> >
> > Thanks, Nish.
> > Do we need IPSec Passthrough on the device doing NAT or on the end CE
> > routers?
> >
> > Unfortunately NAT is done by service provider and we don't have control
> on
> > those devices.
> >
> > Regards,
> > DN
> >
> > On Sat, Jul 31, 2010 at 1:03 PM, Nish Vamadevan <ipnish_at_gmail.com>
> wrote:
> >
> >> Should be able to as long as IPSec Passthrough is enabled on both
> devices
> >> and Protocol 50/50 and Port 500 isin't blocked... Then, you should be
> able
> >> to form tunnels...
> >>
> >> Regards,
> >> Nish
> >>
> >> On Sat, Jul 31, 2010 at 12:53 PM, DN817
> > <ndheeraj.ccie_at_googlemail.com>wrote:
> >>
> >>> Hi Experts,
> >>>
> >>> I am trying to run IPSEC between an Internet router(with public IP
> >>> address)
> >>> and another router which got access to internet over a 3G mobile
> network.
> >>> The 3G provider only assigns private address but is static NATed to a
> >>> public
> >>> IP address with in their cloud.
> >>>
> >>> Please advise whether it is possible to run IPSEC between these 2
> routers
> >>> over the internet.
> >>>
> >>> R1(IP=80.x.x.x) == INTERNET == 3G Network (where IP 10.1.1.1 is NAT ed
> to
> >>> 90.x.x.x) == 3G Device with WAN IP - 10.1.1.1
> >>>
> >>> Thanks,
> >>> DN
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Aug 02 2010 - 00:21:28 ART