11-27-2019 04:14 AM
Dear all,
below lab R1 1.1.1.1/8 wan ip and lan ip 192.168.1.1/24 R3 wan ip 11.11.11.2/29 &lan 172.16.0.0/16
now i make ipsec between above network successfully establish ,but the task is there is a secondary ip of the router R3 10.10.10.1/24 to establish site to site once i changed from R1 phase2 (for ip ) show crypto iskamp sa R1 the tunnel established (11.11.11.2 1.1.1.1 QM_IDLE 1002 ACTIVE)
but not pinging from interest traffic ???? 2nd i make network translation R2 and revert the configuration to primary ip so the tunnel is not came up but translation is working any idea ?
i have a lab
11-28-2019 01:42 PM
11-30-2019 10:13 PM - edited 11-30-2019 11:10 PM
dear sir,
i try with below configuration
R1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco123 address 11.11.11.3
crypto ipsec transform-set aws esp-aes 256 esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer 11.11.11.3
set transform-set aws
match address cry
interface Ethernet0/0
ip address 1.1.1.1 255.0.0.0
crypto map mymap
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
no ip address
shutdown
interface Ethernet0/3
no ip address
shutdown
router rip
version 2
network 1.0.0.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.10.10.0 255.255.255.0 1.1.1.2
ip access-list extended cry
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
R3
multilink bundle-name authenticated
username amjad.khan privilege 15 password 0 cisco
!
redundancy
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set aws esp-aes 256 esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set aws
match address cry
interface Loopback1
ip address 11.11.11.9 255.255.255.255
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0 secondary
ip address 11.11.11.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map mymap
interface Ethernet0/1
ip address 172.16.1.1 255.255.0.0
!
interface Ethernet0/2
ip address 172.17.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/3
no ip address
shutdown
router rip
version 2
network 11.0.0.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list outside interface Ethernet0/0 overload
ip nat inside source static 172.17.1.1 11.11.11.3
ip route 0.0.0.0 0.0.0.0 11.11.11.1
ip access-list extended cry
permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
ip access-list extended outside
permit ip any host 172.17.1.1
11-30-2019 11:09 PM
dear sir,
below is the result , but from pc to pc not pinging .
R1#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.11.11.3 1.1.1.1 QM_IDLE 1003 ACTIVE
11.11.11.3 1.1.1.1 MM_NO_STATE 1002 ACTIVE (deleted)
11.11.11.2 1.1.1.1 MM_NO_STATE 1001 ACTIVE (deleted)
R3
R3#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 11.11.11.3:500 172.17.1.1:500 1.1.1.1:500 1.1.1.1:500
udp 11.11.11.3:500 172.17.1.1:500 1.1.1.1:500 1.1.1.1:500
udp 11.11.11.3:4500 172.17.1.1:4500 1.1.1.1:4500 1.1.1.1:4500
--- 11.11.11.3 172.17.1.1 --- ---
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide