[c-nsp] Re: Cisco VPN w/ IPsec and NAT

Luan Nguyen luan.nguyen at mci.com
Fri Sep 17 07:15:01 EDT 2004 

Here's a link of NAT order of operation:
http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09
186a0080133ddd.shtml
Here's a link on NAT overload between private and public
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configurati
on_example09186a0080093f73.shtml
Private and Private
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configurati
on_example09186a008009448f.shtml

1.1.1.1 is now the visible NAT ip right? In your case just put ip nat
outside and the crypto map on the fe0/0 - ip nat inside on fe0/1.  default
route should be pointing out of fe0/0 to the next hop somewhere to guide all
the traffics.  The nat acl will permit all your 7 nets to bet natted to that
single ip and then the crypto map will match the single ip address for
encryption :) since NAT order of operation said NAT first/Encrypt later.
Hope that work, I would suggest that you use GRE in conjunction with IPSEC
though, since it would be easier for routing...would be like
Interface tunnel 1
Source ip <single IP> - doesn't have to be an interface could be just a
routable ip address from the remote end
Destination ip
Ip nat outside
Crypto map X

Then route your 7 networks inside that GRE tunnel.

Luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bryan
Sent: Friday, September 17, 2004 1:04 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Re: Cisco VPN w/ IPsec and NAT

Sorry, it's late, forgot to mention that the private interface that needs
to be seen by the distant end is a single host ip given by the distant end
so it isn't on my network at all.

FE0/0
ip address 1.1.1.1

FE0/1
ip address 192.168.101.0/24

would a tunnel interface be in order?



>
> So I have the need (long story), to setup and IPSEC VPN tunnel into
> another network to which I have no visibility.  It will be using SHA and
> pre-shared keys, pretty standard.  The problem is, I need the vpn to route
> 7 non-contiguous subnets to which the far end router is connected AND need
> to have the VPN tunnel appear to be coming from 1 ip address for all 7
> networks, so NAT is needed.  Yes, we realise that this will be stricly a 1
> way tunnel.
>
> so... I guess my question is, can I use the Tunnel interface as a nat
> outside and then add some policy or static routes to route the traffic to
> it.
>
>
> Visible NAT IP: 10.96.103.68
>
> Far end Networks: 10.174.2.0
>                   10.174.58.0
>                   10.24.16.0
>                   10.96.31.0
>                   10.207.10.0
>                   10.207.58.0
>                   10.207.72.0
>
>
> crypto isakmp policy 1
> hash sha
> authentication pre-share
> crypto isakmp key cisco123 address <far end pub ip>
>
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
>
> crypto map mymap isakmp
> set peer <far end pub ip>
> set transform-set myset
>
> match address 101
>
>
> I'm at a loss for how to get the nat going over the ipsec tunnel.
>
>
> Thanks in advance,
>
>
> Bryan
>
>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list