Topology description:
1. R1 and R5 establish an IPSec VPN so that the respective Loopback0 interfaces are transmitted through the tunnel.
2. R2 is the exit NAT device of Site 1 site; R4 is the exit NAT device of Site 2 site.
The specific configuration is as follows:
R1:
interface Ethernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map TEST
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 192.168.45.5
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 192.168.45.5
set transform-set CISCO
match address 101
!
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2:
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
ip nat inside
!
interface Ethernet0/1
ip address 23.23.23.2 255.255.255.0
ip nat outside
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 23.23.23.3
ip route 1.1.1.1 255.255.255.255 192.168.12.1
!
ip nat source static udp 192.168.12.1 500 2.2.2.2 500 extendable
ip nat source static udp 192.168.12.1 4500 2.2.2.2 4500 extendable
ip nat inside source list 100 interface Loopback0 overload
ip nat outside source static udp 4.4.4.4 500 192.168.45.5 500 extendable
ip nat outside source static udp 4.4.4.4 4500 192.168.45.5 4500 extendable
!
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.45.0 0.0.0.255
access-list 100 deny ip host 1.1.1.1 host 5.5.5.5
access-list 100 permit ip any any
access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.45.0 0.0.0.255
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
R3:
interface Ethernet0/1
ip address 23.23.23.3 255.255.255.0
!
interface Ethernet0/2
ip address 34.34.34.3 255.255.255.0
!
ip route 2.2.2.2 255.255.255.255 23.23.23.2
ip route 4.4.4.4 255.255.255.255 34.34.34.4
ip route 192.168.12.0 255.255.255.0 23.23.23.2
ip route 192.168.45.0 255.255.255.0 34.34.34.4
R4:
interface Ethernet0/2
ip address 34.34.34.4 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.45.4 255.255.255.0
ip nat inside
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 34.34.34.3
ip route 1.1.1.1 255.255.255.255 192.168.45.5
!
ip nat inside source list 100 interface Loopback0 overload
ip nat inside source static udp 192.168.45.5 500 4.4.4.4 500 extendable
ip nat inside source static udp 192.168.45.5 4500 4.4.4.4 4500 extendable
ip nat outside source static udp 2.2.2.2 500 192.168.12.1 500 extendable
ip nat outside source static udp 2.2.2.2 4500 192.168.12.1 4500 extendable
!
access-list 100 deny ip 192.168.45.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny ip host 5.5.5.5 host 1.1.1.1
access-list 100 permit ip any any
access-list 101 permit ip 192.168.45.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 permit ip host 5.5.5.5 host 1.1.1.1
R5:
interface Ethernet0/0
ip address 192.168.45.5 255.255.255.0
crypto map TEST
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 192.168.12.1
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set CISCO
match address 101
!
access-list 101 permit ip host 5.5.5.5 host 1.1.1.1
!
ip route 0.0.0.0 0.0.0.0 192.168.45.4
ip route 1.1.1.1 255.255.255.255 Ethernet0/0
Test Results:
R1#ping 5.5.5.5 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.45.5 192.168.12.1 QM_IDLE 1001 ACTIVE
ISP-R3 E0 / 1 interface capture results:
Do you think my VPN setup scenario is special?
Perhaps no such case exists on the existing network.
This is a scene experiment of my whimsy.
Accepted Solutions
