Encryption between two routers found in the same IP-Range (why is this configuration not working ?)

Tenek85466 · ‎08-02-2020

Router 1

Building configuration...

Current configuration : 1373 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname test

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

ip ssh time-out 60

ip domain-name test.com

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

ex

^C

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

test#

test con0 is now available

Press RETURN to get started.

ex

test>

test>en

test#conf t

Enter configuration commands, one per line. End with CNTL/Z.

test(config)#

test(config)#ex

test#

%SYS-5-CONFIG_I: Configured from console by console

test#

test#sh

test#sh ru

test#sh running-config

Building configuration...

Current configuration : 1373 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname test

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

ip ssh time-out 60

ip domain-name test.com

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

ex

^C

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Router 2

Building configuration...

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Router#

Router con0 is now available

Press RETURN to get started.

Router>

Router>en

Router#sh ru

Router#sh running-config

Building configuration...

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Best Regards

Deepak Kumar · ‎08-02-2020

Hi,

It seems that a subnet 192.168.30.0/24 is overlapping at both sides. So you need NATing as an extra configuration.

You can guide a detailed guide here:

https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎08-03-2020

Hello,

did you not have this same issue resolved a few days ago ? You said you had configured twice NAT on one side, I don't see that in any of the configs you have posted ?

Tenek85466 · ‎08-03-2020

Hey @Georg Pauwen the issue is not yet resolved. NAT was configured on both Routers. I d'ont really get it when you say "configuring twice NAT on one side" Can you please explain ? Based on the Network diagram ?

Deepak Kumar · ‎08-04-2020

Hi,

Share your lab in the attachments.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Tenek85466 · ‎08-04-2020

My Lab as pkt file