[c-nsp] IPSEC and NAT

M K gunner_200 at live.com
Mon Nov 11 04:35:06 EST 2013 

The IPSEC is working fine , once I activate the NAT , i lose the IPSEC with unreachable response to ICMP traffic The weird thing is that I am configuring the access-lists properly , what could be the issue ?

From: gunner_200 at live.com
To: cisco-nsp at puck.nether.net
Subject: IPSEC and NAT
Date: Thu, 7 Nov 2013 13:36:19 +0200




Hi all
I have the below setup
R1 - R2 - R3 - R4
R1 and R4 has loopback interfaces that needs to communicate via IPSEC established between R1 and R4
R2 and R3 has EBGP relation 
The IPSEC is working fine 
When I configure a loopback interface on R2 and R3 and advertise it in BGP in order for the NAT to work , the NAT works but I loses the IPSEC connectivity

R1

hostname R1

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 212.118.34.4   

crypto ipsec transform-set SET esp-3des esp-sha-hmac 

crypto map MAP 10 ipsec-isakmp 
 set peer 212.118.34.4
 set transform-set SET 
 match address VPN_ACL

interface Loopback0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

interface Serial1/0
 ip address 212.118.12.1 255.255.255.0
 ip nat outside
 encapsulation ppp
 serial restart-delay 0
 crypto map MAP
 no shut

ip nat pool NAT_POOL 212.118.1.1 212.118.1.6 prefix-length 29
ip nat inside source list NAT_ACL pool NAT_POOL

ip route 0.0.0.0 0.0.0.0 212.118.12.2

ip access-list extended NAT_ACL
 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_ACL
 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255


R2

hostname R2

interface Loopback0
 ip address 212.118.2.2 255.255.255.255

interface Serial1/0
 ip address 212.118.12.2 255.255.255.0
 encapsulation ppp
 no shut

interface Serial1/1
 ip address 212.118.23.2 255.255.255.0
 encapsulation ppp
 no shut

router bgp 2
 bgp log-neighbor-changes
 network 212.118.12.0
 neighbor 212.118.23.3 remote-as 3

ip route 212.118.1.0 255.255.255.248 ser1/0

R3

hostname R3

interface Loopback0
 ip address 212.118.3.3 255.255.255.255

interface Serial1/0
 ip address 212.118.34.3 255.255.255.0
 encapsulation ppp
 no shut

interface Serial1/1
 ip address 212.118.23.3 255.255.255.0
 encapsulation ppp
 no shut

router bgp 3
 bgp log-neighbor-changes
 network 212.118.34.0
 neighbor 212.118.23.2 remote-as 2

ip route 212.118.4.0 255.255.255.248 Ser1/0

R4

hostname R4

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 212.118.12.1   

crypto ipsec transform-set SET esp-3des esp-sha-hmac 

crypto map MAP 10 ipsec-isakmp 
 set peer 212.118.12.1
 set transform-set SET 
 match address VPN_ACL

interface Loopback0
 ip address 192.168.4.4 255.255.255.0
 ip nat inside

interface Serial1/0
 ip address 212.118.34.4 255.255.255.0
 ip nat outside
 encapsulation ppp
 serial restart-delay 0
 crypto map MAP
 no shut

ip nat pool NAT_POOL 212.118.4.1 212.118.4.6 prefix-length 29
ip nat inside source list NAT_ACL pool NAT_POOL

ip route 0.0.0.0 0.0.0.0 212.118.34.3

ip access-list extended NAT_ACL
 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 any
ip access-list extended VPN_ACL
 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

What I configure on R2 and R3 is 212.118.2.2/32 and 212.118.3.3/32 respectively , what should i do in order for both IPSEC and NAT to work ?

Thanks

More information about the cisco-nsp mailing list