cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
284
Views
0
Helpful
5
Replies
Highlighted
Beginner

Encryption between two routers found in the same IP-Range (why is this configuration not working ?)

Topol.PNG

Router 1

 

 

Building configuration...

 

Current configuration : 1373 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname test

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

!

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

!

!

!

ip ssh time-out 60

ip domain-name test.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

 

ex

^C

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

 

test#

 

 

 

 

 

 

 

 

test con0 is now available

 

 

 

 

 

 

Press RETURN to get started.

 

 

 

 

 

 

 

 

 

 

 

 

 

ex

 

 

test>

test>

test>

test>en

test#conf t

Enter configuration commands, one per line. End with CNTL/Z.

test(config)#

test(config)#

test(config)#ex

test#

%SYS-5-CONFIG_I: Configured from console by console

 

test#

test#sh

test#sh ru

test#sh running-config

Building configuration...

 

Current configuration : 1373 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname test

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

!

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

!

!

!

ip ssh time-out 60

ip domain-name test.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

 

ex

^C

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

 

Router 2

 

Building configuration...

 

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

!

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

 

Router#

 

 

 

 

 

 

 

 

Router con0 is now available

 

 

 

 

 

 

Press RETURN to get started.

 

 

 

 

 

 

 

 

 

 

 

 

 

Router>

Router>

Router>

Router>

Router>en

Router#sh ru

Router#sh running-config

Building configuration...

 

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

!

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Best Regards

 

5 REPLIES 5
Highlighted
VIP Advocate

Hi,

It seems that a subnet 192.168.30.0/24 is overlapping at both sides. So you need NATing as an extra configuration. 

You can guide a detailed guide here:

https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
VIP Mentor

Hello,

 

did you not have this same issue resolved a few days ago ? You said you had configured twice NAT on one side, I don't see that in any of the configs you have posted ?

Highlighted

Hey @Georg Pauwen the issue is not yet resolved. NAT was configured on both Routers. I d'ont really get it when you say "configuring twice NAT on one side" Can you please explain ? Based on the Network diagram ?

Highlighted

Hi,

Share your lab in the attachments.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted

My Lab as pkt file

Content for Community-Ad