IPSec - Lan to Lan - Nat routers - 1 Static and 1 Dynamic ip

Discussion in 'Cisco' started by Sharqy_5, Jul 20, 2003.

  1. Sharqy_5

    Sharqy_5 Guest

    I've got the following situation:
    2 sites
    one site with a 826 adsl router which gets a dynamic ip. (site 1)
    one site with a 1721 router (incl adsl and eth wic) which has a static ip.
    (site 2)
    Both routers use Nat for address translation.
    I'd like to connect the sites to each other by ipsec, but won't get it
    working.
    In the meanwhile i've got a working configuration which doesn't use ipsec.
    Could someone help me solving this problem.

    Here is the configuration of site 2, site 1 will folow:

    version 12.2
    service timestamps debug uptime
    service timestamps log datetime msec localtime show-timezone
    no service password-encryption
    !
    hostname Site 2
    !
    logging console critical
    aaa new-model
    !
    !
    aaa authentication ppp default if-needed group radius
    aaa authorization network default group radius
    aaa accounting network default start-stop group radius
    aaa session-id common
    enable secret 5 xxxx.
    enable password xxxx
    !
    username xxxx password xxxx
    memory-size iomem 25
    clock timezone GMT 2
    ip subnet-zero
    no ip source-route
    !
    !
    no ip domain lookup
    !
    no ip bootp server
    ip dhcp-server 192.168.5.1
    vpdn enable
    !
    vpdn-group PPTP_WIN2KCLIENT
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    interface Loopback0
    ip address 192.168.20.1 255.255.255.0
    !
    interface Tunnel1
    bandwidth 512
    ip address 192.168.200.1 255.255.255.252
    ip mtu 1434
    ip tcp adjust-mss 1380
    tunnel source Ethernet0
    tunnel destination 1.1.1.1
    tunnel mode ipip
    !
    interface ATM0
    description Connected to ADSL
    no ip address
    no atm ilmi-keepalive
    pvc 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    no fair-queue
    hold-queue 224 in
    !
    interface Ethernet0
    description Connected to SDSL
    ip address 3.3.3.3 255.255.255.240
    ip nat outside
    no ip route-cache
    no ip mroute-cache
    half-duplex
    no cdp enable
    !
    interface FastEthernet0
    description Connected to the internal net
    ip address 192.168.1.1 255.255.255.0 secondary
    ip address 192.168.5.254 255.255.255.0
    ip nat inside
    ip policy route-map email
    speed auto
    no cdp enable
    !
    interface Virtual-Template1
    description Connected to VPN users
    ip unnumbered Loopback0
    ip nat inside
    peer default ip address dhcp
    compress mppc
    ppp encrypt mppe 128
    ppp authentication ms-chap
    !
    interface Dialer0
    description For connection to dial ISP
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer idle-timeout 0
    dialer persistent
    dialer-group 1
    no cdp enable
    ppp pap sent-username xxxx password xxxx
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source list 104 interface Ethernet0 overload
    ip nat inside source static tcp 192.168.5.3 25 interface Ethernet0 25
    ip nat inside source static tcp 192.168.5.3 110 interface Ethernet0 110
    ip nat inside source static tcp 192.168.5.3 143 interface Ethernet0 143
    ip nat inside source static tcp 192.168.5.3 443 interface Ethernet0 443
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 0.0.0.0 0.0.0.0 217.166.56.97 250
    ip route 1.1.1.1 255.255.255.255 3.3.3.3
    ip route 192.168.6.0 255.255.255.0 192.168.200.2
    no ip http server
    !
    !
    logging facility local1
    logging 192.168.5.1
    access-list 101 permit ip 192.168.5.0 0.0.0.255 any
    access-list 101 permit ip 192.168.20.0 0.0.0.255 any
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip 192.168.0.0 0.0.255.255 any
    access-list 104 permit ip 192.168.5.0 0.0.0.255 any
    access-list 104 permit ip 192.168.1.0 0.0.0.255 any
    access-list 104 permit ip 192.168.20.0 0.0.0.255 any
    access-list 198 permit tcp host 192.168.5.3 eq 143 192.168.0.0 0.0.255.255
    access-list 198 permit tcp host 192.168.5.3 eq 443 192.168.0.0 0.0.255.255
    access-list 198 permit tcp host 192.168.5.3 eq smtp 192.168.0.0 0.0.255.255
    access-list 198 permit tcp host 192.168.5.3 eq pop3 192.168.0.0 0.0.255.255
    access-list 199 permit tcp host 192.168.5.3 eq 443 any
    access-list 199 permit tcp host 192.168.5.3 eq pop3 any
    access-list 199 permit tcp host 192.168.5.3 eq smtp any
    access-list 199 permit tcp host 192.168.5.3 eq 143 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map email permit 5
    match ip address 198
    !
    route-map email permit 10
    match ip address 199
    set ip next-hop 3.3.3.3
    !
    route-map email permit 20
    set default interface Dialer0
    !
    snmp-server community public RO
    snmp-server enable traps tty
    radius-server host 192.168.5.1 auth-port 1812 acct-port 1813
    radius-server retransmit 3
    radius-server key xxxx
    radius-server authorization permit missing Service-Type
    !
    line con 0
    line aux 0
    line vty 0 4
    access-class 102 in
    password xxxx
    !
    ntp clock-period 17180048
    ntp server 207.46.248.43
    end

    Thanks in advance,

    Rene Poelman
     
    Sharqy_5, Jul 20, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. c
    Replies:
    2
    Views:
    852
  2. Hans-Peter Walter
    Replies:
    3
    Views:
    1,205
    Joe Bloggs
    Jan 21, 2004
  3. Replies:
    1
    Views:
    824
  4. yadap

    acl+Static nat+Dynamic Nat

    yadap, Aug 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    693
    yadap
    Aug 31, 2006
  5. skweetis
    Replies:
    0
    Views:
    1,241
    skweetis
    Dec 11, 2006
Loading...

Share This Page