[c-nsp] IPSEC and NAT

M K gunner_200 at live.com
Tue Nov 12 03:53:37 EST 2013


What happened is that when I establish the IPSEC it works fine , then when I start the NAT traffic the IPSEC get lostThe issue was with the overload keyword in the NAT statement and now it's working fine
BR,
Date: Mon, 11 Nov 2013 20:08:16 -0500
Subject: Re: [c-nsp] IPSEC and NAT
From: emccaleb at gmail.com
To: gunner_200 at live.com
CC: cisco-nsp at puck.nether.net

Are you saying the actual IPSec peer is lost or simply the hosts become unreachable?  Could you give us a few "show" commands?

E #21508

Regards,
Ernest McCaleb

 




On Mon, Nov 11, 2013 at 4:35 AM, M K <gunner_200 at live.com> wrote:

The IPSEC is working fine , once I activate the NAT , i lose the IPSEC with unreachable response to ICMP traffic The weird thing is that I am configuring the access-lists properly , what could be the issue ?



From: gunner_200 at live.com

To: cisco-nsp at puck.nether.net

Subject: IPSEC and NAT

Date: Thu, 7 Nov 2013 13:36:19 +0200









Hi all

I have the below setup

R1 - R2 - R3 - R4

R1 and R4 has loopback interfaces that needs to communicate via IPSEC established between R1 and R4

R2 and R3 has EBGP relation

The IPSEC is working fine

When I configure a loopback interface on R2 and R3 and advertise it in BGP in order for the NAT to work , the NAT works but I loses the IPSEC connectivity



R1



hostname R1



crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

crypto isakmp key cisco address 212.118.34.4



crypto ipsec transform-set SET esp-3des esp-sha-hmac



crypto map MAP 10 ipsec-isakmp

 set peer 212.118.34.4

 set transform-set SET

 match address VPN_ACL



interface Loopback0

 ip address 192.168.1.1 255.255.255.0

 ip nat inside



interface Serial1/0

 ip address 212.118.12.1 255.255.255.0

 ip nat outside

 encapsulation ppp

 serial restart-delay 0

 crypto map MAP

 no shut



ip nat pool NAT_POOL 212.118.1.1 212.118.1.6 prefix-length 29

ip nat inside source list NAT_ACL pool NAT_POOL



ip route 0.0.0.0 0.0.0.0 212.118.12.2



ip access-list extended NAT_ACL

 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended VPN_ACL

 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255





R2



hostname R2



interface Loopback0

 ip address 212.118.2.2 255.255.255.255



interface Serial1/0

 ip address 212.118.12.2 255.255.255.0

 encapsulation ppp

 no shut



interface Serial1/1

 ip address 212.118.23.2 255.255.255.0

 encapsulation ppp

 no shut



router bgp 2

 bgp log-neighbor-changes

 network 212.118.12.0

 neighbor 212.118.23.3 remote-as 3



ip route 212.118.1.0 255.255.255.248 ser1/0



R3



hostname R3



interface Loopback0

 ip address 212.118.3.3 255.255.255.255



interface Serial1/0

 ip address 212.118.34.3 255.255.255.0

 encapsulation ppp

 no shut



interface Serial1/1

 ip address 212.118.23.3 255.255.255.0

 encapsulation ppp

 no shut



router bgp 3

 bgp log-neighbor-changes

 network 212.118.34.0

 neighbor 212.118.23.2 remote-as 2



ip route 212.118.4.0 255.255.255.248 Ser1/0



R4



hostname R4



crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

crypto isakmp key cisco address 212.118.12.1



crypto ipsec transform-set SET esp-3des esp-sha-hmac



crypto map MAP 10 ipsec-isakmp

 set peer 212.118.12.1

 set transform-set SET

 match address VPN_ACL



interface Loopback0

 ip address 192.168.4.4 255.255.255.0

 ip nat inside



interface Serial1/0

 ip address 212.118.34.4 255.255.255.0

 ip nat outside

 encapsulation ppp

 serial restart-delay 0

 crypto map MAP

 no shut



ip nat pool NAT_POOL 212.118.4.1 212.118.4.6 prefix-length 29

ip nat inside source list NAT_ACL pool NAT_POOL



ip route 0.0.0.0 0.0.0.0 212.118.34.3



ip access-list extended NAT_ACL

 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

 permit ip 192.168.4.0 0.0.0.255 any

ip access-list extended VPN_ACL

 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255



What I configure on R2 and R3 is 212.118.2.2/32 and 212.118.3.3/32 respectively , what should i do in order for both IPSEC and NAT to work ?




Thanks





_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/


 		 	   		  


More information about the cisco-nsp mailing list