[nsp] VPN + NAT + ISDN = Stumped
Steve Lim
limmer at execpc.com
Fri Aug 8 13:38:51 EDT 2003
Hello,
I checked the archives, unless I missed something, the list discussion
fizzled a similar question by Ray Davis at Carpnet.
The SA session establishes, and that's about it. Private Hosts on
either end are unable to see each other. I must be missing something?
The config that I used on the ISDN side works on a router that uses a
DSL circuit. The only differance I can see is Dialer 0 on the ISDN
router vs. fa0 on the DSL router.
Private Network 10.100.200.0/24 Remote Side Router
WAN IP 111.111.111.51/32 Remote Side Router
WAN IP 222.222.222.100 VPN-Gateway HQ Side Router
Private Network 10.10.0.0/16
Layout:
Local LAN
Host1 | Host2 | Host 3
1.100.200.1 | 10.100.200.2 | 10.100.200.3
||
||
(Fastether)
||
||
-------------------------
|10.100.200.254/24 fa0 |
| |
|Router 1751 |
| |
|111.111.111.51 dialer0 |
-------------------------
||
||
(ISDN)
||
||
------------------------
| |
|ISP/Internet Cloud |
| |
-------------------------
||
||
(T1)
||
||
------------------------
|222.222.222.100 se0 |
| |
|VPN Gateway |
| |
|10.10.0.254/16 fa0 |
-------------------------
||
||
||
(Fastether)
||
||
Host1
10.10.0.82/16
-----------------------------
Remote Router Config (1721):
Note: It's a nasty config :(
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key bla1 address 222.222.222.100
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 222.222.222.100
set transform-set bla2
match address 101
interface BRI0
no ip address
ip nat outside
encapsulation ppp
dialer rotary-group 0
dialer-group 1
isdn switch-type basic-ni
isdn spid1 41412345670101 1234567
isdn spid2 41412345680101 1234568
crypto map Test
interface FastEthernet0
ip address 10.100.200.254 255.255.255.0
ip nat inside
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer in-band
dialer idle-timeout 2000000
dialer string 2336981
dialer load-threshold 1 outbound
dialer-group 1
ppp authentication pap callin
ppp pap sent-username blablaa at bla.com password bla
ppp multilink
crypto map Test
ip nat inside source list 103 interface dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 101 permit ip 10.100.200.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 103 deny ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip host 10.100.200.1 any
access-list 103 permit ip host 10.100.200.2 any
access-list 103 permit ip host 10.100.200.3 any
dialer-list 1 protocol ip permit
---------------------
VPN Gateway Config:
crypto isakmp policy 2
hash md5
authentication pre-share
!
crypto isakmp key bla1 address 111.111.111.51
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 32 ipsec-isakmp
set peer 111.111.111.51
set transform-set bla2
match address 132
!
interface se0
ip addess 222.222.222.100 255.255.255.252
ip nat outside
crypto map Test
inteface fa0
ip address 10.10.0.254 255.255.0.0
ip nat inside
ip nat inside source 103 interface serial0 overload
ip route 0.0.0.0 0.0.0.0 serial 0
access-list 132 permit ip 10.10.0.0 0.0.255.255 10.100.200.0 0.0.0.255
access-list 103 permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255
SL
--
<><><><><><><><><><><><><><><><><><><><>
Steve Lim - Network Engineer (Michigan)
Corecomm -An ATX Communications Company
Life is a feast, enjoy it while you wait
for desert -limmer
More information about the cisco-nsp
mailing list