CISCO IPSEC TUNNELS WITH NAT

Discussion in 'Cisco' started by bvlmv, Jan 27, 2005.

  1. bvlmv

    bvlmv Guest

    Hi,

    I've come to a stand still with my first simple IPSEC tunnel and I was
    looking for a 2 opinion. I have 2 bridged DSL circuits terminating on
    2610 with an ether module (System image file is
    "flash:c2600-ik9o3s3-mz.123-12a.bin"). I am able to surf on both ends
    but i can't seem kick start the IPSEC tunnel and connect to the private
    side of each network. This is my config and any help would be greatly
    appreciated.
    Router A config is the following:


    Remote#

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key TEE address 209.42.X.X
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map unite 1 ipsec-isakmp
    set peer 209.42.X.X
    set transform-set rtpset
    match address 101
    !
    !
    interface Ethernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    half-duplex
    !

    !
    interface Ethernet1/0
    ip address 209.42.Y.Y 255.255.255.0
    ip nat outside
    no ip route-cache cef
    no ip route-cache
    half-duplex
    crypto map unite
    !
    ip nat pool apool 209.42.Y.Y 209.42.Y.Y netmask 255.255.255.0
    ip nat inside source route-map amap pool apool overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 209.42.Y.1
    !
    !
    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map amap permit 102
    match interface Ethernet1/0
    !


    Router 2 says:




    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key TEE address 209.42.y.y
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map unite 1 ipsec-isakmp
    set peer 209.42.y.y
    set transform-set rtpset
    match address 101
    !

    !
    interface Ethernet0/0
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    half-duplex

    !
    interface Ethernet1/0
    ip address 209.42.x.x 255.255.255.0
    ip nat outside
    no ip route-cache cef
    no ip route-cache
    half-duplex
    crypto map unite
    !
    ip nat pool hdata 209.42.x.x 209.42.x.x netmask 255.255.255.0
    ip nat inside source route-map hmap pool hdata overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 209.42.x.1
    !
    !
    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 deny ip 192.168.2.0 0.0.0.255 any
    access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 permit ip 192.168.2.0 0.0.0.255 any
    !
    route-map hmap permit 102
    match interface Ethernet1/0
    !

    Debug shows the following:
    Remote#show crypto isakmp sa
    dst src state conn-id slot

    Remote#


    Remote2#show crypto isakmp sa
    dst src state conn-id slot
    Remote2#

    Thanks again,
     
    bvlmv, Jan 27, 2005
    #1
    1. Advertisements

  2. I think the route-map is not doing what you want. Your route-map meens
    that any traffic which is bound for interface ethernet1/0 is matchted
    and according to this nat is done for this traffic.
    I thhink you only want that trffic which is machted in access list 102
    will be natted.

    Your route-map should look like this:

    route-map amap permit 10
    match ip address 102

    Don't forget to to the same on the ohter router.

    After this, traffich from 192.168.1.0 to 192.168.2.0 should no longer be
    nated and should be sent over the ipsec tunnel.
     
    Helmut Ulrich, Jan 27, 2005
    #2
    1. Advertisements

  3. bvlmv

    bvlmv Guest

    Hi, Thanks for your reply but unfor it still doesn't create the SA. Any
    other suggestions?
    Thanks,
     
    bvlmv, Jan 30, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.