[c-nsp] IPSEC and NAT
M K
gunner_200 at live.com
Tue Nov 12 03:53:37 EST 2013
What happened is that when I establish the IPSEC it works fine , then when I start the NAT traffic the IPSEC get lostThe issue was with the overload keyword in the NAT statement and now it's working fine
BR,
Date: Mon, 11 Nov 2013 20:08:16 -0500
Subject: Re: [c-nsp] IPSEC and NAT
From: emccaleb at gmail.com
To: gunner_200 at live.com
CC: cisco-nsp at puck.nether.net
Are you saying the actual IPSec peer is lost or simply the hosts become unreachable? Could you give us a few "show" commands?
E #21508
Regards,
Ernest McCaleb
On Mon, Nov 11, 2013 at 4:35 AM, M K <gunner_200 at live.com> wrote:
The IPSEC is working fine , once I activate the NAT , i lose the IPSEC with unreachable response to ICMP traffic The weird thing is that I am configuring the access-lists properly , what could be the issue ?
From: gunner_200 at live.com
To: cisco-nsp at puck.nether.net
Subject: IPSEC and NAT
Date: Thu, 7 Nov 2013 13:36:19 +0200
Hi all
I have the below setup
R1 - R2 - R3 - R4
R1 and R4 has loopback interfaces that needs to communicate via IPSEC established between R1 and R4
R2 and R3 has EBGP relation
The IPSEC is working fine
When I configure a loopback interface on R2 and R3 and advertise it in BGP in order for the NAT to work , the NAT works but I loses the IPSEC connectivity
R1
hostname R1
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 212.118.34.4
crypto ipsec transform-set SET esp-3des esp-sha-hmac
crypto map MAP 10 ipsec-isakmp
set peer 212.118.34.4
set transform-set SET
match address VPN_ACL
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Serial1/0
ip address 212.118.12.1 255.255.255.0
ip nat outside
encapsulation ppp
serial restart-delay 0
crypto map MAP
no shut
ip nat pool NAT_POOL 212.118.1.1 212.118.1.6 prefix-length 29
ip nat inside source list NAT_ACL pool NAT_POOL
ip route 0.0.0.0 0.0.0.0 212.118.12.2
ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
R2
hostname R2
interface Loopback0
ip address 212.118.2.2 255.255.255.255
interface Serial1/0
ip address 212.118.12.2 255.255.255.0
encapsulation ppp
no shut
interface Serial1/1
ip address 212.118.23.2 255.255.255.0
encapsulation ppp
no shut
router bgp 2
bgp log-neighbor-changes
network 212.118.12.0
neighbor 212.118.23.3 remote-as 3
ip route 212.118.1.0 255.255.255.248 ser1/0
R3
hostname R3
interface Loopback0
ip address 212.118.3.3 255.255.255.255
interface Serial1/0
ip address 212.118.34.3 255.255.255.0
encapsulation ppp
no shut
interface Serial1/1
ip address 212.118.23.3 255.255.255.0
encapsulation ppp
no shut
router bgp 3
bgp log-neighbor-changes
network 212.118.34.0
neighbor 212.118.23.2 remote-as 2
ip route 212.118.4.0 255.255.255.248 Ser1/0
R4
hostname R4
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 212.118.12.1
crypto ipsec transform-set SET esp-3des esp-sha-hmac
crypto map MAP 10 ipsec-isakmp
set peer 212.118.12.1
set transform-set SET
match address VPN_ACL
interface Loopback0
ip address 192.168.4.4 255.255.255.0
ip nat inside
interface Serial1/0
ip address 212.118.34.4 255.255.255.0
ip nat outside
encapsulation ppp
serial restart-delay 0
crypto map MAP
no shut
ip nat pool NAT_POOL 212.118.4.1 212.118.4.6 prefix-length 29
ip nat inside source list NAT_ACL pool NAT_POOL
ip route 0.0.0.0 0.0.0.0 212.118.34.3
ip access-list extended NAT_ACL
deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
ip access-list extended VPN_ACL
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
What I configure on R2 and R3 is 212.118.2.2/32 and 212.118.3.3/32 respectively , what should i do in order for both IPSEC and NAT to work ?
Thanks
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list