Re: ip binding to ethernet

de · ‎05-29-2002

hello,

im implementing site 2 site vpn. have configured nat on the main office server and am giving the fileserver static ip. the ip that is allocated is binding to ethernet port along with its hard coded ip.so ethernet has two ip's. if i change the ip of the fileserver ethernet picks it up still. could it possibly be nat.

many thanks

!

logging rate-limit console 10 except errors

enable secret 5 $1$d6OJ$JU.yzY/g6lGebq0i.gD5H0

!

username ********* password 7 0200014F020F172456

memory-size iomem 25

ip subnet-zero

no ip source-route

!

no ip finger

ip dhcp excluded-address 192.168.1.2

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.254

ip dhcp excluded-address 192.168.1.3

ip dhcp excluded-address 192.168.1.4

ip dhcp excluded-address 192.168.1.5

ip dhcp excluded-address 192.168.1.6

ip dhcp excluded-address 192.168.1.7

ip dhcp excluded-address 192.168.1.8

ip dhcp excluded-address 192.168.1.9

!

ip dhcp pool *********

network 192.168.1.0 255.255.255.0

dns-server 158.43.240.4 158.43.240.3

default-router 192.168.1.254

!

no ip dhcp-client network-discovery

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key ******** address 52.164.35.118

!

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 52.164.35.118

set transform-set strong

match address 101

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

!

interface ATM0

no ip address

ip nat outside

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

crypto map vpn

!

interface FastEthernet0

ip address 192.168.1.254 255.255.255.0

ip nat inside

speed auto

no cdp enable

!

interface Dialer0

ip address 52.164.35.126 255.255.255.248

ip nat outside

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname *********

ppp chap password 7 121F00031B02140130

crypto map vpn

!

ip nat pool vpn 52.164.35.121 52.164.35.121 prefix-length 29

ip nat inside source route-map nonat pool vpn overload

ip nat inside source static 192.168.1.2 52.164.35.122

ip nat outside source static 52.164.35.122 192.168.1.2

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

access-list 10 deny 192.168.1.2

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip host 52.164.35.122 host 52.164.35.113

access-list 150 permit ip 52.164.35.112 0.0.0.7 52.164.35.120 0.0.0.7

access-list 150 permit tcp any any established

no cdp run

!

route-map static permit 10

match ip address 150

set ip next-hop 10.1.1.2

!

route-map nonat permit 15

match ip address 10

!

line con 0

password 7 045219561E34495A01

login

transport input none

line aux 0

password 7 020F160B1A130A3544

login

line vty 0 4

login

!

end

cjacinto · ‎05-30-2002

I don't think you need this line:

ip nat outside source static 52.164.35.122 192.168.1.2

Do you really want to do the IPSec tunnel based on the public ip address?

Cause you could do it on the internal addr of 192.168.1.2.

See similar sample config on:

http://www.cisco.com/warp/customer/707/static.html

You have to use policy routing to bypass the ipsec traffic being nat'ed.