Re: Router-to-Router Dynamic-to-Static IPSec with NAT

Hi Arbaaz.

What exactly is the problem? Does the connection progress from phase 1
to phase 2?
Any debug outputs?
Better post at least the config of site B to have a full picture of both
ends.

Cheers,
A.

On 11/24/2011 9:03 PM, Arbaaz Khan wrote:
> Hi Experts
> I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
> Any input is appreciated.
> To simplify the setup I labled the sites as A,B,C. here goes the details
> and my configuration.
>
>
> Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
> NAT ]
> Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
> NAT ]
>
> Site-A terminates the VPN on Pix 525
> Site-B terminates the VPN on IOS Router with static Public IP
> site-C terminates the VPN on IOS Router with Dynamic Public IP
> Site A - 217.18.1.x
> Site B - 217.90.12.x
> Site C - 0.0.0.0 [ Dynamic IP ]
>
>
> %%%%%%%%%%%%
> Site-C configuration %%
> %%%%%%%%%%%%%
>
> crypto isakmp policy 10
> hash md5
> authentication pre-share
>
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
>
> crypto isakmp key cisco address 217.18.1.X
> crypto isakmp key cisco address 217.90.12.X
> crypto isakmp keepalive 300
> !
> !
> crypto ipsec transform-set trans1 esp-des esp-md5-hmac
> crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
> !
> crypto map CMAP 10 ipsec-isakmp
> set peer 217.18.1.X
> set transform-set trans1
> match address FL1
>
> crypto map CMAP 10 ipsec-isakmp
> set peer 217.90.12.X
> set transform-set trans2
> match address GW1
>
>
> interface Ethernet0
> ip address 172.20.245.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> ip tcp adjust-mss 1300
> hold-queue 100 out
> !
> interface Ethernet2
> no ip address
> pppoe enable
> pppoe-client dial-pool-number 1
> hold-queue 100 out
> !
> interface ATM0
> bandwidth 4160
> no ip address
> load-interval 30
> shutdown
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/50
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
>
> interface Dialer0
> bandwidth 4160
> ip address negotiated
> ip mtu 1492
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> no ip mroute-cache
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username cisco password 7 cisco
> ppp ipcp address accept
> crypto map CMAP
>
> ip route 0.0.0.0 0.0.0.0 Dialer0
>
> ip nat source list INTERNET interface Dialer0 overload
> !
> !
> ip access-list extended INTERNET
> deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
> deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
> deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
> deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
> permit ip 172.20.245.0 0.0.0.255 any
>
> ip access-list extended FL1
> permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
> permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>
> ip access-list extended GW1
> permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
> permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> I have no problems on the Tunnel between Site-A and Site-C
>
> Thanks
> A Khan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 22:15:18 ART