Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
3
Replies

NAT with overlapping IP Space and IOS firewall/IPSEC

Phil Williamson
Level 1
Level 1

‎07-17-2004 05:46 AM - edited ‎02-21-2020 01:15 PM

My perimeter router is also the CBAC and IPSEC gateway. I need to configure some static NAT for overlapping IP space and pass it through a VPN tunnel. Is this possible on just the one router? I've looked at the order of NAT, IPSEC, ACLs etc and it seems possible. Any commennts before I forge ahead?

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎07-19-2004 02:11 AM

NAT happens before encryption in a router, so add your static NAT in just as normal. Then for your crypto ACL, specify the source as the already NAT'd address going to the remote subnet, and it will be NAT'd and encrypted fine.

On the way back decryption happens before NAT, so the packet will be decrypted then NAT'd back to its orignal address, nothing special needs to be done here.

FYI, the same principle happens in a PIX, so if you ever want to do that (nat and encryption), then just do the same thing as above.

Hope that helps.

0 Helpful

Phil Williamson
Level 1
Level 1
In response to gfullage

‎07-21-2004 02:52 PM

Glenn - Yes, that was what I needed. I'm now seeing this crypto debug message that I cannot figure out. It's keeping NAT phase 1 from completing it appears. I'm trying to create a tunnel to a Netscreen firewall if that helps.

*Mar 1 00:17:51: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 208.61.250.87

was not encrypted and it should've been.

The suggestion is to contact the remote peer and ??? What do I tell the Netscreen guy?

Thanks

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to Phil Williamson

‎07-21-2004 06:36 PM

This message means the router has recieved an unencrypted packet that matches one of it's crypto ACL's, therefore it knows that it should have been encrypted, and it drops it.

So, the Netscreen is sending you unencrypted packets, so it's not been set up correctly. I don't know specifically what parameters to check on a Netscreen, but there'll be something in it that says "encrypt traffic from address to address". In the Cisco router this is your crypto ACL, Netscreen will have something similar I presume. You have to make sure the source and destination addresses/subnets defined here are the exact opposite of each other on both sides, otherwise you get this error.

0 Helpful
Customers Also Viewed These Support Documents