[nsp] VPN + NAT + ISDN = Stumped
Voralt
peder at voralt.net
Fri Aug 8 12:38:19 EDT 2003
Well for one, you have NAT turned on for both sides, so everything is being
NAT'd and each side will only see the NAT'd IP from the other side. You
will need a route-map with NAT to stop that.
----- Original Message -----
From: "Steve Lim" <limmer at execpc.com>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, August 08, 2003 11:38 AM
Subject: [nsp] VPN + NAT + ISDN = Stumped
> Hello,
> I checked the archives, unless I missed something, the list discussion
> fizzled a similar question by Ray Davis at Carpnet.
>
> The SA session establishes, and that's about it. Private Hosts on
> either end are unable to see each other. I must be missing something?
>
> The config that I used on the ISDN side works on a router that uses a
> DSL circuit. The only differance I can see is Dialer 0 on the ISDN
> router vs. fa0 on the DSL router.
>
> Private Network 10.100.200.0/24 Remote Side Router
> WAN IP 111.111.111.51/32 Remote Side Router
>
> WAN IP 222.222.222.100 VPN-Gateway HQ Side Router
> Private Network 10.10.0.0/16
>
> Layout:
>
> Local LAN
> Host1 | Host2 | Host 3
> 1.100.200.1 | 10.100.200.2 | 10.100.200.3
> ||
> ||
> (Fastether)
> ||
> ||
> -------------------------
> |10.100.200.254/24 fa0 |
> | |
> |Router 1751 |
> | |
> |111.111.111.51 dialer0 |
> -------------------------
> ||
> ||
> (ISDN)
> ||
> ||
> ------------------------
> | |
> |ISP/Internet Cloud |
> | |
> -------------------------
> ||
> ||
> (T1)
> ||
> ||
> ------------------------
> |222.222.222.100 se0 |
> | |
> |VPN Gateway |
> | |
> |10.10.0.254/16 fa0 |
> -------------------------
> ||
> ||
> ||
> (Fastether)
> ||
> ||
> Host1
> 10.10.0.82/16
>
> -----------------------------
> Remote Router Config (1721):
> Note: It's a nasty config :(
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key bla1 address 222.222.222.100
> !
> crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
> !
> crypto map Test 1 ipsec-isakmp
> set peer 222.222.222.100
> set transform-set bla2
> match address 101
>
> interface BRI0
> no ip address
> ip nat outside
> encapsulation ppp
> dialer rotary-group 0
> dialer-group 1
> isdn switch-type basic-ni
> isdn spid1 41412345670101 1234567
> isdn spid2 41412345680101 1234568
> crypto map Test
>
> interface FastEthernet0
> ip address 10.100.200.254 255.255.255.0
> ip nat inside
> speed auto
> !
> interface Dialer0
> ip address negotiated
> ip nat outside
> encapsulation ppp
> dialer in-band
> dialer idle-timeout 2000000
> dialer string 2336981
> dialer load-threshold 1 outbound
> dialer-group 1
> ppp authentication pap callin
> ppp pap sent-username blablaa at bla.com password bla
> ppp multilink
> crypto map Test
>
> ip nat inside source list 103 interface dialer0 overload
> ip route 0.0.0.0 0.0.0.0 Dialer0
>
>
> access-list 101 permit ip 10.100.200.0 0.0.0.255 10.10.0.0 0.0.255.255
>
> access-list 103 deny ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255
> access-list 103 permit ip host 10.100.200.1 any
> access-list 103 permit ip host 10.100.200.2 any
> access-list 103 permit ip host 10.100.200.3 any
>
> dialer-list 1 protocol ip permit
>
>
> ---------------------
> VPN Gateway Config:
>
> crypto isakmp policy 2
> hash md5
> authentication pre-share
> !
> crypto isakmp key bla1 address 111.111.111.51
> !
> crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
> !
> crypto map Test 32 ipsec-isakmp
> set peer 111.111.111.51
> set transform-set bla2
> match address 132
> !
> interface se0
> ip addess 222.222.222.100 255.255.255.252
> ip nat outside
> crypto map Test
>
> inteface fa0
> ip address 10.10.0.254 255.255.0.0
> ip nat inside
>
> ip nat inside source 103 interface serial0 overload
> ip route 0.0.0.0 0.0.0.0 serial 0
>
> access-list 132 permit ip 10.10.0.0 0.0.255.255 10.100.200.0 0.0.0.255
> access-list 103 permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255
>
> SL
> --
> <><><><><><><><><><><><><><><><><><><><>
> Steve Lim - Network Engineer (Michigan)
> Corecomm -An ATX Communications Company
> Life is a feast, enjoy it while you wait
> for desert -limmer
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list