[c-nsp] IPSEC and NAT

Ernest McCaleb emccaleb at gmail.com
Mon Nov 11 20:08:16 EST 2013 

Are you saying the actual IPSec peer is lost or simply the hosts become
unreachable?  Could you give us a few "show" commands?

E #21508

Regards,

Ernest McCaleb




On Mon, Nov 11, 2013 at 4:35 AM, M K <gunner_200 at live.com> wrote:

> The IPSEC is working fine , once I activate the NAT , i lose the IPSEC
> with unreachable response to ICMP traffic The weird thing is that I am
> configuring the access-lists properly , what could be the issue ?
>
> From: gunner_200 at live.com
> To: cisco-nsp at puck.nether.net
> Subject: IPSEC and NAT
> Date: Thu, 7 Nov 2013 13:36:19 +0200
>
>
>
>
> Hi all
> I have the below setup
> R1 - R2 - R3 - R4
> R1 and R4 has loopback interfaces that needs to communicate via IPSEC
> established between R1 and R4
> R2 and R3 has EBGP relation
> The IPSEC is working fine
> When I configure a loopback interface on R2 and R3 and advertise it in BGP
> in order for the NAT to work , the NAT works but I loses the IPSEC
> connectivity
>
> R1
>
> hostname R1
>
> crypto isakmp policy 1
>  encr aes
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 212.118.34.4
>
> crypto ipsec transform-set SET esp-3des esp-sha-hmac
>
> crypto map MAP 10 ipsec-isakmp
>  set peer 212.118.34.4
>  set transform-set SET
>  match address VPN_ACL
>
> interface Loopback0
>  ip address 192.168.1.1 255.255.255.0
>  ip nat inside
>
> interface Serial1/0
>  ip address 212.118.12.1 255.255.255.0
>  ip nat outside
>  encapsulation ppp
>  serial restart-delay 0
>  crypto map MAP
>  no shut
>
> ip nat pool NAT_POOL 212.118.1.1 212.118.1.6 prefix-length 29
> ip nat inside source list NAT_ACL pool NAT_POOL
>
> ip route 0.0.0.0 0.0.0.0 212.118.12.2
>
> ip access-list extended NAT_ACL
>  deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
>  permit ip 192.168.1.0 0.0.0.255 any
> ip access-list extended VPN_ACL
>  permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
>
>
> R2
>
> hostname R2
>
> interface Loopback0
>  ip address 212.118.2.2 255.255.255.255
>
> interface Serial1/0
>  ip address 212.118.12.2 255.255.255.0
>  encapsulation ppp
>  no shut
>
> interface Serial1/1
>  ip address 212.118.23.2 255.255.255.0
>  encapsulation ppp
>  no shut
>
> router bgp 2
>  bgp log-neighbor-changes
>  network 212.118.12.0
>  neighbor 212.118.23.3 remote-as 3
>
> ip route 212.118.1.0 255.255.255.248 ser1/0
>
> R3
>
> hostname R3
>
> interface Loopback0
>  ip address 212.118.3.3 255.255.255.255
>
> interface Serial1/0
>  ip address 212.118.34.3 255.255.255.0
>  encapsulation ppp
>  no shut
>
> interface Serial1/1
>  ip address 212.118.23.3 255.255.255.0
>  encapsulation ppp
>  no shut
>
> router bgp 3
>  bgp log-neighbor-changes
>  network 212.118.34.0
>  neighbor 212.118.23.2 remote-as 2
>
> ip route 212.118.4.0 255.255.255.248 Ser1/0
>
> R4
>
> hostname R4
>
> crypto isakmp policy 1
>  encr aes
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 212.118.12.1
>
> crypto ipsec transform-set SET esp-3des esp-sha-hmac
>
> crypto map MAP 10 ipsec-isakmp
>  set peer 212.118.12.1
>  set transform-set SET
>  match address VPN_ACL
>
> interface Loopback0
>  ip address 192.168.4.4 255.255.255.0
>  ip nat inside
>
> interface Serial1/0
>  ip address 212.118.34.4 255.255.255.0
>  ip nat outside
>  encapsulation ppp
>  serial restart-delay 0
>  crypto map MAP
>  no shut
>
> ip nat pool NAT_POOL 212.118.4.1 212.118.4.6 prefix-length 29
> ip nat inside source list NAT_ACL pool NAT_POOL
>
> ip route 0.0.0.0 0.0.0.0 212.118.34.3
>
> ip access-list extended NAT_ACL
>  deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>  permit ip 192.168.4.0 0.0.0.255 any
> ip access-list extended VPN_ACL
>  permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>
> What I configure on R2 and R3 is 212.118.2.2/32 and 212.118.3.3/32respectively , what should i do in order for both IPSEC and NAT to work ?
>
> Thanks
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list