03-09-2005 08:03 AM - edited 02-21-2020 01:39 PM
I need someone to help me to understand traffic flow, or order of operation, in regards to IPSec, GRE and NAT. Ive reviewed the NAT order of operation sponsored on the Cisco site, but Im still a bit confused. If this post readers can review the below and answer my questions at the bottom, this would greatly appreciated!
Scenario:
I have an IPSec tunnel between my Cisco 2691VPN router peer address 64.80.80.130, and a Netscreen firewall with peer address 64.80.80.188. I have a switch between my inside Cisco 2691 VPN router and my outside Cisco basic Internet connection router. This Netscreen is attached to this switch as well.
Behind my Cisco 2691 I have RFC1918 address space 172.30.7.0/24
Behind my customers Netscreen we have RFC 1918 address space 10.139.51.0/24
Heres my modified configuration containing bogus keys, addresses, etc.
Cisco 2691-
crypto isakmp key 123456789 address 64.80.80.188
crypto map FASTETHERNET00 71 ipsec-isakmp
set peer 64.80.80.188
set transform-set ESP_3DES-ESP_SHA_HMAC
set pfs group2
match address 104
interface FastEthernet0/0
description Connect to Internet switch / router
ip address 64.80.80.130 255.255.255.192
ip access-group 120 in
ip nat outside
ip inspect FW out
ip virtual-reassembly
duplex full
speed 100
crypto map FASTETHERNET00
interface FastEthernet0/1
description Inside Network
ip address 172.30.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
ip nat pool WWWPOOL 64.80.80.190 64.80.80.190 netmask 255.255.255.192
ip nat inside source route-map NAT pool WWWPOOL overload
!
access-list 100 permit ip 172.30.7.0 0.0.0.255 any
access-list 104 permit ip 172.30.7.0 0.0.0.255 10.139.51.0 0.0.0.255
access-list 120 permit esp host 64.80.80.188 host 64.80.80.130
access-list 120 permit udp host 64.80.80.188 host 64.80.80.130 eq isakmp
route-map NAT permit 50
match ip address 100
Questions:
1. Am I correct to assume that since source packet 172.30.7.25 is destined for10.139.51.16, the Crypto match (ACL 104) takes precedence over ACL 100 and therefore this packet is not run through the NAT engine? I dont want this address to be translated. I want it to be filtered and sent though the VPN tunnel to the Netscreen.
2. On the return from the Netscreen, source IP 10.139.51.16 destination IP 172.30.7.25; Im assuming that this packet is decrypted and these RFC 1918 addresses are then processed by my 2691 router.
If anyone can share a link with me as well, this would be helpful.
Kind Regards
Jeff
03-09-2005 10:28 AM
Maybe the question I need answered is this: Once the packet reaches my 2691 and the IPsec is decrypted, will I need to add this RFC address of 10.139.51.0 into my access-list 120? If so, this is where my problem is.
03-10-2005 06:12 PM
Jeff,
The order is NAT and then Encryption from outgoing packet and order is reversed for return traffic i.e decryption and then NAT.
In your case you have to made a small change in your access-list 100. You have to add another statement in access-list 100 to "deny" interesting traffic from being natted.
access-list 100 deny ip 172.30.7.0 0.0.0.255 10.139.51.0 0.0.0.255
access-list 100 permit ip 172.30.7.0 0.0.0.255 any
Do clear your existing translations with "clear ip nat tran * " to get this working.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide