[c-nsp] Simple Cisco 837-828 IPSEC Tunnel

Łukasz Bromirski lbromirski at mr0vka.eu.org
Tue Jul 19 12:58:05 EDT 2005


Skeeve Stevens wrote:

> Does anyone know of any config examples of a IPSEC Tunnel using 3DES from a
> 837 to an 828 with NAT on both sides.

Any config for IOS with site to site IPsec tunnel will do with
one side defined as 0.0.0.0 if the 837 gets it's IP dynamically.

> I think I have correct with the correct IOS, but there seems to be some
> problems with stability on the 837 with this error:
> 
> *Mar  1 01:36:42.671: NAT*: Can't create new inside entry -
> forced_punt_flags: 0   which seems to be that the nat entries are
> exhausting.. No idea.

Show us `show mem sum' and `show ip nat stats' from both units. Maybe
You're running out of memory, but maybe You just killing the box with
thousands of translations.

> This seems ok for general nat. 
> ip nat inside source list 11 interface Dialer1 overload
> access-list 11 permit ip 192.168.1.0 0.0.0.255

> This is quite broken and unreliable
> ip nat inside source list 160 interface Dialer1 overload
> access-list 160 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 log
> access-list 160 permit ip 192.168.1.0 0.0.0.255 any log

Which makes me wonder if You are hitting some
CEF/fast-switching/process-switching bug with use of 'log' keyword in
both ACEs. Are You sure You have CEF turned on on both units? How does
look `show cef not-cef-switched' on both sides after running tunnel
for a while with ACL160? Do routers show something other than this
NAT message in logs that's connected with memory or some errors?

You can dig it further by using information contained here:
http://www.cisco.com/warp/public/105/cef_whichpath.html

-- 
this space was intentionally left blank    |            Łukasz Bromirski
you can insert your favourite quote here   |        lukasz:bromirski,net


More information about the cisco-nsp mailing list