Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
1
Replies

IPSEC NAT transparency problems

marcus.glover
Level 1
Level 1

‎06-30-2006 03:04 AM - edited ‎02-21-2020 02:30 PM

Hi All,

I'm trying to do NAT on one end of an IPSEC tunnel, which I believe is now possible (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm).

Setup as follows

---NetA---rtr-A-----rtr-B-----NetB

The objective is hosts on NetB are to be Nat-ed to hosts on NetA. Between rtr-A and rtr-B we have IPSEC + GRE to pass EIGRP.

configs..

rtr-A

crypto isakmp policy 1

authentication pre-share

crypto isakmp key iskey address 0.0.0.0

!

!

crypto ipsec transform-set trans esp-3des esp-md5-hmac

mode transport

!

crypto map TPOC 10 ipsec-isakmp

set peer 192.168.97.2

set transform-set trans

match address 100

!

interface Tunnel0

ip address 192.168.189.1 255.255.255.252

tunnel source Serial0/0/0

tunnel destination 192.168.97.2

crypto map TPOC

int s 0/0/0

ip add 192.168.97.1 255.255.255.252

mtu 1574

crypto map TPOC

ip nat inside

int fa 0/0

ip add 10.0.0.1 255.255.255.0

ip nat outside

router eigrp 1

passive-interface s 0/0/0

network 192.168.97.0

network 192.168.189.0

network 172.27.0.0

no auto

access-list 100 permit gre host 192.168.97.1 host 192.168.97.2

ip nat inside source static 172.27.0.3 10.0.0.3

rtr-B

int loopback 0

ip add 172.27.0.3 255.255.255.255

crypto isakmp policy 1

authentication pre-share

crypto isakmp key isakey address 0.0.0.0

!

!

crypto ipsec transform-set trans esp-3des esp-md5-hmac

mode transport

!

crypto map TPOC 10 ipsec-isakmp

set peer 192.168.97.1

set transform-set trans

match address 100

!

interface Tunnel0

ip address 192.168.189.2 255.255.255.252

tunnel source Serial0/0/0

tunnel destination 192.168.97.1

crypto map TPOC

int s 0/0/0

ip add 192.168.97.2 255.255.255.252

mtu 1574

crypto map TPOC

router eigrp 1

passive-interface s 0/0/0

network 192.168.97.0

network 10.0.0.0

network 192.168.189.0

network 172.27.0.0

no auto

access-list 100 permit gre host 192.168.97.2 host 192.168.97.1

+++++++++

What happens is that when a host on NetA tries to ping 10.0.0.3 the address is translated and the ping is sent via the IPSEC tunnel after GRE encapsulation. However when the ping reply is returned the reply is from 172.27.0.3, i.e. the destination has not been translated back in the ping reply.

Is NAT transparency supposed to fix this or is this type of configuration not possible with both NAT and IPSEC?

Thanks for your help,

Marcus

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents