Re: site to site over nat and secondary ip address

amjadkhan1920 · ‎11-27-2019

Dear all,

below lab R1 1.1.1.1/8 wan ip and lan ip 192.168.1.1/24 R3 wan ip 11.11.11.2/29 &lan 172.16.0.0/16

now i make ipsec between above network successfully establish ,but the task is there is a secondary ip of the router R3 10.10.10.1/24 to establish site to site once i changed from R1 phase2 (for ip ) show crypto iskamp sa R1 the tunnel established (11.11.11.2 1.1.1.1 QM_IDLE 1002 ACTIVE)
but not pinging from interest traffic ???? 2nd i make network translation R2 and revert the configuration to primary ip so the tunnel is not came up but translation is working any idea ?

i have a lab

Rob Ingram · ‎11-28-2019

Does the ACL used to define the interesting traffic on both routers include the NAT ip addresses of the interesting traffic?

Please provide the configuration of both routers (R1 and R3) and the output of "show crypto ipsec sa" and "show ip nat translation" from both routers.

amjadkhan1920 · ‎11-30-2019

dear sir,

i try with below configuration

R1

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 11.11.11.3

crypto ipsec transform-set aws esp-aes 256 esp-sha-hmac

mode tunnel

crypto map mymap 10 ipsec-isakmp

set peer 11.11.11.3

set transform-set aws

match address cry

interface Ethernet0/0

ip address 1.1.1.1 255.0.0.0

crypto map mymap

interface Ethernet0/1

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/2

no ip address

shutdown

interface Ethernet0/3

no ip address

shutdown

router rip

version 2

network 1.0.0.0

no auto-summary

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 1.1.1.2

ip route 10.10.10.0 255.255.255.0 1.1.1.2

ip access-list extended cry

permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

R3

multilink bundle-name authenticated

username amjad.khan privilege 15 password 0 cisco

!

redundancy

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco123 address 1.1.1.1

crypto ipsec transform-set aws esp-aes 256 esp-sha-hmac

mode tunnel

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set aws

match address cry

interface Loopback1

ip address 11.11.11.9 255.255.255.255

interface Ethernet0/0

ip address 10.10.10.1 255.255.255.0 secondary

ip address 11.11.11.2 255.255.255.248

ip nat outside

ip virtual-reassembly in

crypto map mymap

interface Ethernet0/1

ip address 172.16.1.1 255.255.0.0

!

interface Ethernet0/2

ip address 172.17.1.1 255.255.0.0

ip nat inside

ip virtual-reassembly in

!

interface Ethernet0/3

no ip address

shutdown

router rip

version 2

network 11.0.0.0

no auto-summary

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat source list outside interface Ethernet0/0 overload

ip nat inside source static 172.17.1.1 11.11.11.3

ip route 0.0.0.0 0.0.0.0 11.11.11.1

ip access-list extended cry

permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255

ip access-list extended outside

permit ip any host 172.17.1.1

amjadkhan1920 · ‎11-30-2019

dear sir,

below is the result , but from pc to pc not pinging .

R1#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.11.11.3 1.1.1.1 QM_IDLE 1003 ACTIVE
11.11.11.3 1.1.1.1 MM_NO_STATE 1002 ACTIVE (deleted)
11.11.11.2 1.1.1.1 MM_NO_STATE 1001 ACTIVE (deleted)

R3

R3#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 11.11.11.3:500 172.17.1.1:500 1.1.1.1:500 1.1.1.1:500
udp 11.11.11.3:500 172.17.1.1:500 1.1.1.1:500 1.1.1.1:500
udp 11.11.11.3:4500 172.17.1.1:4500 1.1.1.1:4500 1.1.1.1:4500
--- 11.11.11.3 172.17.1.1 --- ---