[c-nsp] Re: Cisco VPN w/ IPsec and NAT

Bryan bryan at tec-works.com
Sat Sep 18 20:09:54 EDT 2004 

Thanks Luan.  I've looked at all of those and none are exactly what I
need.

The problem is that the IP I need to have the traffice appear to be coming
from (nat IP) doesn't currently exist in my network and the IP was give by
the distant end.

Also, the other end isn't a Cisco and they aren't being very helpful as to
what it exactly is.

-- 
+---------------------------------------------------+
| Bryan Welch                  Direct:(425)844-8500 |
| Tec-Works LLC                Cell:  (206)920-5718 |
|  Total Network Solutions     Fax:   (425)844-8637 |
|                              bryan at tec-works.com  |
|                                                   |
|            <<--WWW.TEC-WORKS.COM-->>              |
+---------------------------------------------------+



On Fri, 17 Sep 2004, Luan Nguyen wrote:

> Date: Fri, 17 Sep 2004 07:15:01 -0400
> From: Luan Nguyen <luan.nguyen at mci.com>
> To: 'Bryan' <bryan at tec-works.com>, cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Re: Cisco VPN w/ IPsec and NAT
>
> Here's a link of NAT order of operation:
> http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09
> 186a0080133ddd.shtml
> Here's a link on NAT overload between private and public
> http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configurati
> on_example09186a0080093f73.shtml
> Private and Private
> http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configurati
> on_example09186a008009448f.shtml
>
> 1.1.1.1 is now the visible NAT ip right? In your case just put ip nat
> outside and the crypto map on the fe0/0 - ip nat inside on fe0/1.  default
> route should be pointing out of fe0/0 to the next hop somewhere to guide all
> the traffics.  The nat acl will permit all your 7 nets to bet natted to that
> single ip and then the crypto map will match the single ip address for
> encryption :) since NAT order of operation said NAT first/Encrypt later.
> Hope that work, I would suggest that you use GRE in conjunction with IPSEC
> though, since it would be easier for routing...would be like
> Interface tunnel 1
> Source ip <single IP> - doesn't have to be an interface could be just a
> routable ip address from the remote end
> Destination ip
> Ip nat outside
> Crypto map X
>
> Then route your 7 networks inside that GRE tunnel.
>
> Luan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bryan
> Sent: Friday, September 17, 2004 1:04 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Re: Cisco VPN w/ IPsec and NAT
>
> Sorry, it's late, forgot to mention that the private interface that needs
> to be seen by the distant end is a single host ip given by the distant end
> so it isn't on my network at all.
>
> FE0/0
> ip address 1.1.1.1
>
> FE0/1
> ip address 192.168.101.0/24
>
> would a tunnel interface be in order?
>
>
>
> >
> > So I have the need (long story), to setup and IPSEC VPN tunnel into
> > another network to which I have no visibility.  It will be using SHA and
> > pre-shared keys, pretty standard.  The problem is, I need the vpn to route
> > 7 non-contiguous subnets to which the far end router is connected AND need
> > to have the VPN tunnel appear to be coming from 1 ip address for all 7
> > networks, so NAT is needed.  Yes, we realise that this will be stricly a 1
> > way tunnel.
> >
> > so... I guess my question is, can I use the Tunnel interface as a nat
> > outside and then add some policy or static routes to route the traffic to
> > it.
> >
> >
> > Visible NAT IP: 10.96.103.68
> >
> > Far end Networks: 10.174.2.0
> >                   10.174.58.0
> >                   10.24.16.0
> >                   10.96.31.0
> >                   10.207.10.0
> >                   10.207.58.0
> >                   10.207.72.0
> >
> >
> > crypto isakmp policy 1
> > hash sha
> > authentication pre-share
> > crypto isakmp key cisco123 address <far end pub ip>
> >
> > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> >
> > crypto map mymap isakmp
> > set peer <far end pub ip>
> > set transform-set myset
> >
> > match address 101
> >
> >
> > I'm at a loss for how to get the nat going over the ipsec tunnel.
> >
> >
> > Thanks in advance,
> >
> >
> > Bryan
> >
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list