04-25-2015 03:40 PM
Hi,
I have configured two LANs with NAT. There is an ISP router inbetween these routers to emulate the internet.
I would like to configure a site-to-site VPN between these two routers.
Here is the configuration of R1 and R3:
R1:
hostname R1
no ip cef
no ipv6 cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 209.123.123.33
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set yasser esp-aes esp-sha-hmac
!
crypto map auda 100 ipsec-isakmp
set peer 209.123.123.33
set pfs group2
set security-association lifetime seconds 86400
set transform-set yasser
match address ramzy
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 172.16.1.21 255.255.248.0
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.16.8.99 255.255.248.0
ip nat inside
!
interface Serial0/3/0
ip address 209.123.123.1 255.255.255.240
ip nat outside
clock rate 128000
crypto map auda
!
router ospf 1
router-id 15.15.15.15
log-adjacency-changes
network 172.16.8.0 0.0.7.255 area 1
network 209.123.123.0 0.0.0.15 area 0
!
ip nat inside source list ADDRESSES interface Serial0/3/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard ADDRESSES
permit 172.16.8.0 0.0.7.255
ip access-list extended ramzy
permit ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
R3:
hostname R3
!
no ip cef
no ipv6 cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 209.123.123.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set yasser esp-aes esp-sha-hmac
!
crypto map auda 100 ipsec-isakmp
set peer 209.123.123.1
set pfs group2
set security-association lifetime seconds 86400
set transform-set yasser
match address ramzy
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 172.16.1.22 255.255.248.0
duplex auto
speed auto
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 172.16.40.99 255.255.248.0
ip nat inside
!
interface Serial0/3/1
ip address 209.123.123.33 255.255.255.240
ip nat outside
crypto map auda
!
router ospf 1
router-id 25.25.25.25
log-adjacency-changes
network 172.16.40.0 0.0.7.255 area 2
network 209.123.123.32 0.0.0.15 area 0
!
ip nat inside source list ADDRESSES interface Serial0/3/1 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard ADDRESSES
permit 172.16.40.0 0.0.7.255
ip access-list extended ramzy
permit ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Attempting to ping from PC-A (172.16.8.1) to PC-C (172.16.40.1) doesn't work.
I have tried numerous times to get traffic to flow through the tunnel with no succes. Can anyone tell me where I am going wrong?
Thanks,
Josh
Solved! Go to Solution.
04-26-2015 12:26 PM
Hi Josh,
On this deployment, you will not be able to ping or reach the other side because of the NAT, it is dynamically NATting the IP addresses, you will need to do the following:
R!:
no ip nat inside source list ADDRESSES interface Serial0/3/0 overload
no ip access-list standard ADDRESSES
permit 172.16.8.0 0.0.7.255
ip access.list extended ADDRESSES_NAT
deny ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255
ip nat inside source list ADDRESSES_NAT interface Serial0/3/0 overload
R3:
no ip nat inside source list ADDRESSES interface Serial0/3/1 overload
no ip access-list standard ADDRESSES
permit 172.16.40.0 0.0.7.255
ip access-list extended ADDRESSES_NAT
deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255
ip nat inside source list ADDRESSES:NAT interface Serial0/3/1 overload
with this show commands you make sure phase 1 and phase 2 is up and working::
- show crypto isakmp sa
- show crypto ipsec sa
Hope this helps!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards
04-26-2015 12:26 PM
Hi Josh,
On this deployment, you will not be able to ping or reach the other side because of the NAT, it is dynamically NATting the IP addresses, you will need to do the following:
R!:
no ip nat inside source list ADDRESSES interface Serial0/3/0 overload
no ip access-list standard ADDRESSES
permit 172.16.8.0 0.0.7.255
ip access.list extended ADDRESSES_NAT
deny ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255
ip nat inside source list ADDRESSES_NAT interface Serial0/3/0 overload
R3:
no ip nat inside source list ADDRESSES interface Serial0/3/1 overload
no ip access-list standard ADDRESSES
permit 172.16.40.0 0.0.7.255
ip access-list extended ADDRESSES_NAT
deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255
ip nat inside source list ADDRESSES:NAT interface Serial0/3/1 overload
with this show commands you make sure phase 1 and phase 2 is up and working::
- show crypto isakmp sa
- show crypto ipsec sa
Hope this helps!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards
04-26-2015 03:23 PM
Thanks for your help, David.
Much appreciated!
Regards,
Josh Broadbent
04-26-2015 07:38 PM
Hi Josh,
It was a pleasure, let me know if you have any doubts!
David Castro,
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide