Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2293
Views
0
Helpful
4
Replies

IPSec on routers behind a nat device

Jonn cos
Level 4
Level 4

‎11-30-2014 12:18 PM - edited ‎03-07-2019 09:43 PM

Hi all,

I have a very simple setup. I have 3 routers as shown below. ISP is translating R1's interface IP from 10.1.1.1 to 10.1.3.1

 

R1--Fas0/0-----------------------------------Fas0/0---ISP---Fas0/1------------------------------Fas0/1----R2

 

R1:

int fas0/0

ip add 10.1.1.1 255.255.255.0

 

ISP

int fas0/0

ip add 10.1.1.2 255.255.255.0

ip nat inside

int fas0/1

ip add 10.1.2.2 255.255.255.0

ip nat outside

ip nat inside source static 10.1.1.1 10.1.3.1

 

R2

int fas0/1

ip add 10.1.2.1 255.255.255.0

 

As you can see, ISP is translating R1 10.1.1.1 <-> 10.1.3.1. If i want to configure IPsec between R1 and R2, what shall i configure ?

Labels:
0 Helpful
4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

‎11-30-2014 01:00 PM

Hi,

All routers are using private IPs.  So, there is no need for NAT.

To configure IPsec tunnel between the routers.  Have a look at this doc:

http://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html

HTH

0 Helpful

Jonn cos
Level 4
Level 4
In response to Reza Sharifi

‎11-30-2014 08:31 PM

This is a lab scenario and i want to test for my learning how IPSec would work in such a case.

 

I have tried it but IPSec doesnt work with standard configuration. Below is the configuration

I have configured 2 loopback. on R1: 100.1.1.1

on R2: 200.1.1.1

R1:

crypto isakmp policy 10

 auth pre

 enc des

 hash md5

 group 2

crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)

crypto ipsec transform-set test esp-des esp-md5-hmac

 mode tunnel

access-list 101 permit ip host 100.1.1.1 host 200.1.1.1

crypto map test 10 ipsec-isakmp

 mat address 101

 set peer 10.1.1.1

 set transform-set test

ip route 0.0.0.0 0.0.0.0 10.1.0.2

 

R2:

crypto isakmp policy 10

 auth pre

 enc des

 hash md5

 group 2

crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)

crypto ipsec transform-set test esp-des esp-md5-hmac

 mode tunnel

access-list 101 permit ip host 200.1.1.1 host 100.1.1.1

crypto map test 10 ipsec-isakmp

 mat address 101

 set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)

 set transform-set test

ip route 0.0.0.0 0.0.0.0 10.1.1.2

 

Now when i ping from R1:

ping 200.1.1.1 source 100.1.1.1

 

its not successful. Why doesnt it work any idea ?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Jonn cos

‎11-30-2014 11:30 PM

The crypto-config looks fine (the crypto map is also applies to R1s and R2s public interface?). But your default-routes are wrong. The next-hop has to be the ip of the ISP.

If it still doesn't work, you have to continue with "debug crypto isakmp".

0 Helpful

Karsten Iwen
VIP
VIP

‎11-30-2014 01:25 PM

Is its a lab-scenario?

R2 needs to use the inside global address of R1 (which is 10.1.3.1) as a peer. And as long as UDP/500 and UDP/4500 are translated (which is in your scenario) then everything work the same as if there wouldn't be any NAT. At least when you run 12.2(8)T+ on your routers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card