Solved: np. thanks for rating my

ansarjavaid54 · ‎06-05-2016

Hello guys and trying to setup LAN to LAN tunnel between two sites and its not working for me.. I thing traffic is being natted before it leaves PAT router.

I attached topology and running config

R2 configs!

R2#show run
Building configuration...

Current configuration : 1734 bytes

hostname R2

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 84600
crypto isakmp key cisco address 10.1.2.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
! Incomplete
set peer 10.1.2.2
set transform-set myset
match address 100
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip nat outside
crypto map mymap
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit any
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
end
----------------------------------------------------------
R4#show run
Building configuration...

Current configuration : 1774 bytes
hostname R4
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 10.1.1.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set myset
match address 100
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 10.1.2.2 255.255.255.252
ip nat outside
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit any
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!

end

johnlloyd_13 · ‎06-05-2016

hi,

re-configure your NAT ACL to deny/untranslate the LAN-to-LAN traffic:

R2:

no access-list 10 permit any
no ip nat inside source list 10 interface FastEthernet0/0 overload

ip access-list extended NO-NAT-R2
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any

ip nat inside source list NO-NAT-R2 interface FastEthernet0/0 overload

R4:

no access-list 10 permit any
no ip nat inside source list 10 interface FastEthernet0/1 overload

ip access-list extended NO-NAT-R4
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any

ip nat inside source list NO-NAT-R4 interface FastEthernet0/0 overload

View solution in original post

johnlloyd_13 · ‎06-06-2016

yes, it will be captured by the 'permit ip any any' at the end of the NO-NAT ACL.

View solution in original post

johnlloyd_13 · ‎06-05-2016

hi,

re-configure your NAT ACL to deny/untranslate the LAN-to-LAN traffic:

R2:

no access-list 10 permit any
no ip nat inside source list 10 interface FastEthernet0/0 overload

ip access-list extended NO-NAT-R2
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any

ip nat inside source list NO-NAT-R2 interface FastEthernet0/0 overload

R4:

no access-list 10 permit any
no ip nat inside source list 10 interface FastEthernet0/1 overload

ip access-list extended NO-NAT-R4
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any

ip nat inside source list NO-NAT-R4 interface FastEthernet0/0 overload

ansarjavaid54 · ‎06-06-2016

Hello johnlloyd.. Will this allow my other traffic destined towards internet.

johnlloyd_13 · ‎06-06-2016

yes, it will be captured by the 'permit ip any any' at the end of the NO-NAT ACL.

ansarjavaid54 · ‎06-06-2016

Tyx brother its works

johnlloyd_13 · ‎06-06-2016

np. thanks for rating my posts!

Lan-ipsec tunel not working due to pat router