[c-nsp] IPsec after NAT
Alejandro Piccioli
alexpichi at gmail.com
Thu Jun 16 13:25:33 EDT 2005
We have the current config:
3745:
s0/0: 10.1.100.10/24
gw: 10.1.100.1/24
f0/0: 200.35.85.113 255.255.255.252
f0/1: 192.168.188.0/24
Visible NAT ip: 200.35.85.115
1720:
ADSL module, dialer0, dynamic negociated PPP
f0/0: 192.168.199.0/24
We need to run a VPN between 3745 lan 192.168.188.0
and 1720 lan 192.168.188.0 .ISP gaves us a private
address in s0/0 (???), so we need to NAT, otherwise
1720 won't see 3745. Segment 192.168.188.0 needs also to
access internet. I'm at a loss for how to get the
NAT going over the IPsec tunnel.
This is the running:
Current configuration : 3791 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SIGOSARP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$X8cs$41XJXFUhjp22ZBBIdUVWc1
!
username leo5433 privilege 15 secret 5
$1$16Mo$OL0xPHPDzGl7ntwRGcvwe/
clock timezone Caracas -4
no network-clock-participate aim 0
no network-clock-participate aim 1
aaa new-model
!
!
--More-- ��������� ���������aaa authentication
login default
local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
--More-- ��������� ���������!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-des
!
crypto dynamic-map mymap 10
set transform-set strong
match address 101
!
!
!
crypto map ciscovpn 10 ipsec-isakmp dynamic mymap
!
!
!
!
--More-- ��������� ���������!
interface FastEthernet0/0
ip address 200.35.85.113 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0
ip address 10.3.200.2 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay map ip 10.3.200.1 17
frame-relay interface-dlci 17
frame-relay lmi-type cisco
crypto map ciscovpn
!
interface FastEthernet0/1
ip address 192.168.188.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
--More-- ��������� ���������interface
Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
!
interface FastEthernet2/0
no ip address
shutdown
!
interface FastEthernet2/1
no ip address
shutdown
!
--More-- ��������� ���������interface
FastEthernet2/2
no ip address
shutdown
!
interface FastEthernet2/3
no ip address
shutdown
!
interface FastEthernet2/4
no ip address
shutdown
!
interface FastEthernet2/5
no ip address
shutdown
!
interface FastEthernet2/6
no ip address
shutdown
!
interface FastEthernet2/7
no ip address
shutdown
--More-- ��������� ���������!
interface FastEthernet2/8
no ip address
shutdown
!
interface FastEthernet2/9
no ip address
shutdown
!
interface FastEthernet2/10
no ip address
shutdown
!
interface FastEthernet2/11
no ip address
shutdown
!
interface FastEthernet2/12
no ip address
shutdown
!
interface FastEthernet2/13
no ip address
--More-- ��������� ��������� shutdown
!
interface FastEthernet2/14
no ip address
shutdown
!
interface FastEthernet2/15
no ip address
shutdown
!
interface IDS-Sensor3/0
no ip address
shutdown
hold-queue 60 out
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.3.200.1
!
ip http server
ip http authentication local
--More-- ��������� ���������ip http
secure-server
ip http timeout-policy idle 600 life 86400 requests
10000
ip nat pool tovpn 200.35.85.115 200.35.85.115 netmask
255.255.255.248
ip nat pool tointernet 200.35.85.117 200.35.85.117
netmask
255.255.255.248
ip nat inside source route-map MAP110 pool tovpn
ip nat inside source route-map MAP120 pool tointernet
!
!
access-list 101 permit ip 192.168.188.0 0.0.0.255
192.168.199.0
0.0.0.255
access-list 101 deny ip 192.168.188.0 0.0.0.255 any
access-list 110 permit ip 192.168.188.0 0.0.0.255
192.168.199.0
0.0.0.255
access-list 110 deny ip 192.168.188.0 0.0.0.255 any
access-list 120 deny ip 192.168.188.0 0.0.0.255
192.168.199.0
0.0.0.255
access-list 120 permit ip 192.168.188.0 0.0.0.255 any
!
route-map MAP110 permit 10
match ip address 110
!
route-map MAP120 permit 10
match ip address 120
!
!
!
--More-- ��������� ���������!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password leo5433
line 97
no activation-character
no exec
transport preferred none
transport input all
transport output all
line aux 0
password leo5433
line vty 0 4
password leo5433
--More-- ��������� ��������� transport input
telnet ssh
line vty 5 15
transport input telnet ssh
end
!
Thanks in advice,
Alex Piccioli
PICCIOLI TELCO
0058-414-7986560
0058-414-7935312
alexpichi at yahoo.com,
alexpichi at gmail.com
More information about the cisco-nsp
mailing list