cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
281
Views
5
Helpful
3
Replies

ipsec and nat overloading for basic web browsing

MrFlibble
Level 1
Level 1

I have just implemented a 1721 router with 2 bonded adsl connections and currently have an ipsec tunnel established to our head office.

If i now implement nat overloading to allow a range of internal addresses to use the outside address to browse the internet will this break the ipsec connection.

I just need to understand whether the crypto map on the dialer interface will only encrypt traffic it knows is bound for the tunnel and if not does it then get nat'd and out to the internet.

Would be useful to know the process flow on the dialer interface i.e. the order it does things?

Many thanks for any pointers on this.

Very new to the world of cisco's

Cheers

Paul

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

The router will only encrypt traffic that you tell it to, everything else, including standard Internet traffic, will go out the dialer interface as normal (and be PAT'd if that is what you've set up).

So, how do you tell the router to encrypt specific traffic. You do this with an access-list that is then applied under your crypto map. In your router you'll have something like the following:

crypto map 10 ipsec-isakmp

   set peer x.x.x.x

   set transform

   match address 100

interface Dialer n

   crypto map

access-list 100 permit ip <1721 local subnet>

Now, when an unencrypted packet comes into the inside interface, the router looks at the destination of the packet. It looks up its routing table and sees that the destination is out the Dialer interface. It also sees that there is a crypto map on the Dialer interface, and so it checks first to see if the packets source and destination match access-list 100.

If it does, then it encrypts the packet, puts a new IP header on it with a destination of the IPSec peer at head office, and sends it out the Dialer interface.

If it the packet doesn't match access-list 100, then it knows to just send it out as any normal IP packet. If there is a NAT statement on Dialer 0 and the packet matches the nat policy, then it will be NAT'd before sending.

Many thanks for the explanation it has made the whole process much clearer.

Cheers

I've followe the above which makes sense but the router doesn't appear to be following these rules.

As soon as i specify an ip address in my access-list that gets used by the overload pool that machine then is unable to access the head office subnet.

I have

"ip nat inside" defined on the ethernet interface

"ip nat outside" defined on the dialer interface and

a NAT pool overload to the public address of the router.

It appears to be doing the NAT check then the crypto map check.

Is it possible to say for a particular destination subnet don't do any NATing?

Thanks again for any help on this.