Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2558
Views
0
Helpful
2
Replies

Order of Operation IPSEC - GRE - NAT

jkrawczyk
Level 1
Level 1

‎03-09-2005 08:03 AM - edited ‎02-21-2020 01:39 PM

I need someone to help me to understand traffic flow, or order of operation, in regards to IPSec, GRE and NAT. I’ve reviewed the NAT order of operation sponsored on the Cisco site, but I’m still a bit confused. If this post readers can review the below and answer my questions at the bottom, this would greatly appreciated!

Scenario:

I have an IPSec tunnel between my Cisco 2691VPN router peer address 64.80.80.130, and a Netscreen firewall with peer address 64.80.80.188. I have a switch between my inside Cisco 2691 VPN router and my outside Cisco basic Internet connection router. This Netscreen is attached to this switch as well.

Behind my Cisco 2691 I have RFC1918 address space 172.30.7.0/24

Behind my customers Netscreen we have RFC 1918 address space 10.139.51.0/24

Here’s my modified configuration containing bogus keys, addresses, etc.

Cisco 2691-

crypto isakmp key 123456789 address 64.80.80.188

crypto map FASTETHERNET00 71 ipsec-isakmp

set peer 64.80.80.188

set transform-set ESP_3DES-ESP_SHA_HMAC

set pfs group2

match address 104

interface FastEthernet0/0

description Connect to Internet switch / router

ip address 64.80.80.130 255.255.255.192

ip access-group 120 in

ip nat outside

ip inspect FW out

ip virtual-reassembly

duplex full

speed 100

crypto map FASTETHERNET00

interface FastEthernet0/1

description Inside Network

ip address 172.30.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

ip nat pool WWWPOOL 64.80.80.190 64.80.80.190 netmask 255.255.255.192

ip nat inside source route-map NAT pool WWWPOOL overload

!

access-list 100 permit ip 172.30.7.0 0.0.0.255 any

access-list 104 permit ip 172.30.7.0 0.0.0.255 10.139.51.0 0.0.0.255

access-list 120 permit esp host 64.80.80.188 host 64.80.80.130

access-list 120 permit udp host 64.80.80.188 host 64.80.80.130 eq isakmp

route-map NAT permit 50

match ip address 100

Questions:

1. Am I correct to assume that since source packet 172.30.7.25 is destined for10.139.51.16, the Crypto match (ACL 104) takes precedence over ACL 100 and therefore this packet is not run through the NAT engine? I don’t want this address to be translated. I want it to be filtered and sent though the VPN tunnel to the Netscreen.

2. On the return from the Netscreen, source IP 10.139.51.16 destination IP 172.30.7.25; I’m assuming that this packet is decrypted and these RFC 1918 addresses are then processed by my 2691 router.

If anyone can share a link with me as well, this would be helpful.

Kind Regards

Jeff

Labels:
0 Helpful
2 Replies 2

jkrawczyk
Level 1
Level 1

‎03-09-2005 10:28 AM

Maybe the question I need answered is this: Once the packet reaches my 2691 and the IPsec is decrypted, will I need to add this RFC address of 10.139.51.0 into my access-list 120? If so, this is where my problem is.

0 Helpful

rajimish
Level 1
Level 1

‎03-10-2005 06:12 PM

Jeff,

The order is NAT and then Encryption from outgoing packet and order is reversed for return traffic i.e decryption and then NAT.

In your case you have to made a small change in your access-list 100. You have to add another statement in access-list 100 to "deny" interesting traffic from being natted.

access-list 100 deny ip 172.30.7.0 0.0.0.255 10.139.51.0 0.0.0.255

access-list 100 permit ip 172.30.7.0 0.0.0.255 any

Do clear your existing translations with "clear ip nat tran * " to get this working.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents