04-24-2020 07:02 AM
Topology description:
1. R1 and R5 establish an IPSec VPN so that the respective Loopback0 interfaces are transmitted through the tunnel.
2. R2 is the exit NAT device of Site 1 site; R4 is the exit NAT device of Site 2 site.
The specific configuration is as follows:
R1:
interface Ethernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map TEST
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 192.168.45.5
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 192.168.45.5
set transform-set CISCO
match address 101
!
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2:
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
ip nat inside
!
interface Ethernet0/1
ip address 23.23.23.2 255.255.255.0
ip nat outside
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 23.23.23.3
ip route 1.1.1.1 255.255.255.255 192.168.12.1
!
ip nat source static udp 192.168.12.1 500 2.2.2.2 500 extendable
ip nat source static udp 192.168.12.1 4500 2.2.2.2 4500 extendable
ip nat inside source list 100 interface Loopback0 overload
ip nat outside source static udp 4.4.4.4 500 192.168.45.5 500 extendable
ip nat outside source static udp 4.4.4.4 4500 192.168.45.5 4500 extendable
!
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.45.0 0.0.0.255
access-list 100 deny ip host 1.1.1.1 host 5.5.5.5
access-list 100 permit ip any any
access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.45.0 0.0.0.255
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
R3:
interface Ethernet0/1
ip address 23.23.23.3 255.255.255.0
!
interface Ethernet0/2
ip address 34.34.34.3 255.255.255.0
!
ip route 2.2.2.2 255.255.255.255 23.23.23.2
ip route 4.4.4.4 255.255.255.255 34.34.34.4
ip route 192.168.12.0 255.255.255.0 23.23.23.2
ip route 192.168.45.0 255.255.255.0 34.34.34.4
R4:
interface Ethernet0/2
ip address 34.34.34.4 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.45.4 255.255.255.0
ip nat inside
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 34.34.34.3
ip route 1.1.1.1 255.255.255.255 192.168.45.5
!
ip nat inside source list 100 interface Loopback0 overload
ip nat inside source static udp 192.168.45.5 500 4.4.4.4 500 extendable
ip nat inside source static udp 192.168.45.5 4500 4.4.4.4 4500 extendable
ip nat outside source static udp 2.2.2.2 500 192.168.12.1 500 extendable
ip nat outside source static udp 2.2.2.2 4500 192.168.12.1 4500 extendable
!
access-list 100 deny ip 192.168.45.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny ip host 5.5.5.5 host 1.1.1.1
access-list 100 permit ip any any
access-list 101 permit ip 192.168.45.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 permit ip host 5.5.5.5 host 1.1.1.1
R5:
interface Ethernet0/0
ip address 192.168.45.5 255.255.255.0
crypto map TEST
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 192.168.12.1
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set CISCO
match address 101
!
access-list 101 permit ip host 5.5.5.5 host 1.1.1.1
!
ip route 0.0.0.0 0.0.0.0 192.168.45.4
ip route 1.1.1.1 255.255.255.255 Ethernet0/0
Test Results:
R1#ping 5.5.5.5 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.45.5 192.168.12.1 QM_IDLE 1001 ACTIVE
ISP-R3 E0 / 1 interface capture results:
Do you think my VPN setup scenario is special?
Perhaps no such case exists on the existing network.
This is a scene experiment of my whimsy.
Solved! Go to Solution.
04-26-2020 05:01 PM
04-24-2020 08:47 PM
Hi
For testing that's ok but this isn't something you'll put in a production environment. Why not using the lo0 of R4 and R2 to build up the vpn?
04-24-2020 11:27 PM
Hi,Francesco Molino
I just want to try in the laboratory how to implement and establish the IPSec VPN tunnel after NAT.
I think the NAT I wrote on R2 and R4:
R2:
ip nat outside source static udp 4.4.4.4 500 192.168.45.5 500 extendable
ip nat outside source static udp 4.4.4.4 4500 192.168.45.5 4500 extendable
R4:
ip nat outside source static udp 2.2.2.2 500 192.168.12.1 500 extendable
ip nat outside source static udp 2.2.2.2 4500 192.168.12.1 4500 extendable
And 4 static routes written by R3:
ip route 2.2.2.2 255.255.255.255 23.23.23.2
ip route 4.4.4.4 255.255.255.255 34.34.34.4
ip route 192.168.12.0 255.255.255.0 23.23.23.2
ip route 192.168.45.0 255.255.255.0 34.34.34.4
The above configuration is the most important factor for the successful establishment of this VPN.
I just found it very interesting.
04-26-2020 05:01 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide