Router-to-router IP Security (IPSec) Virtual Private Networks (VPNs) are used to protect site-to-site data transfer over public networks. The site-to-site traffic that needs to be protected is tunneled by the router on the edge of the network to its remote IPSec peer.
Edge routers are also configured for network or Port Address Translation (PAT) to assign globally unique, routable addresses to devices with private IP addresses. Network Address Translation (NAT) and IPSec might be needed together on a device when the same link is used for reaching the Internet as well as remote branches of the corporate network. While address translation of non IPSec-protected data is necessary, the IPSec protected data can be allowed through without address translation.
IPSec traffic can be exempted from address translation with route maps. For example, to allow IPSec-protected traffic between the private network 10.10.10.0/24 and remote site network 10.10.12.0/24 to pass through without address translation, perform these steps:
Define an Access Control List (ACL) and choose the keyword deny for all IPSec protected traffic. To define the ACL, issue the access-list command in global configuration mode, as shown in this output:
access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
access-list 110 permit ip 10.50.50.0 0.0.0.255 any
This ACL denies traffic between networks 10.10.10.0/24 and 10.10.12.0/24, which is IPSec encrypted, while permitting traffic to all the other networks.
Define a route map and bind the ACL to it by issuing the match command.
To define the route map, issue the route-map command in global configuration mode and match the command in route-map configuration mode, as shown in this output:
route-map map1 permit 10 match ip address 110
To specify the inside addresses that need to be translated, issue the route-map command in the ip nat inside source command, as shown in this command:
ip nat inside source route-map map1 interface Ethernet0 overload
The ip nat inside source command issues the route-map map1 command to determine which inside addresses need to be translated. The route-map map1 command uses access-list 110, which is configured with the keyword deny for traffic between the two private networks being IPSec-protected. The IPSec-protected traffic is not address translated. However, the traffic from the private network that goes on to the Internet is port address translated to the address on the Ethernet interface.
have 4 switch 3560 POE-8 , 2 of them have been RESET, AND WLC 2100 RESET too, but there are firewall AND ONE switch. Keeps the OLD CONFIG. I try to restore the network to the same old CONFIGURATION Please help .. I am not a specialist in...
Boot fail, and here is the it shows upon booting up. Using driver version 4 for media type 1Xmodem file system is available.Base ethernet MAC Address: 04:31:10:3f:44:00The password-recovery mechanism is enabled.USB EHCI 1.00USB EHCI 1.00USB Console I...
Hi EveryoneI am facing issue on CISCO 2921 Router since last week. Router keep on rebooting automatically. Find below details of Show commands output. Appreciate if anyone can guide about the root cause of Router rebooting. There are no configuration chan...
Hello Expert,I have two cisco router in HSRP configuration.On each router I have a 4 port card.The vlans configured on the card (both primary and secondary router) are Production Telephone,Security vlan.I am to configure an use HSRP on the production vlan...
Hi Team, Is there cisco recommend RSTP to MSTP migration procedure ? I didn't find any cisco related document for this. Currently network consist of Core (6500 Series) Switches, distribution (4500 series) switches and Access (3850, 2960X an...