04-12-2008 04:48 AM - edited 02-21-2020 03:40 PM
I've created an ipsec between two Pix515E. One interface of Pix1 is nated in public ip address from the outside router R1. In pix1 interface VPN i have placed the router R2 for creating the GRE. Ipsec is up but GRE is down. On the other side is Pix2 with interface outside with public ip address. In one its interface VPN2 is router R3 for GRE. In router R1 there is no access list for deny. Routers versions are 12.4. Pix1 version 7.04 and pix2 version 6.3. Can anyone give any suggestion??? Somebody said that i should allow in R1 the traffic between two loopbacks for GRE. I don't know how?
04-12-2008 07:08 AM
Try this
Router 1:-
Interface loopback0
ip address 192.168.1.1 255.255.255.255 or similar IP range
!
Interface tunnel 1
ip address 172.16.1.1 255.255.255.252 or similar IP range
tunnel source loopback0
tunnel destination 192.168.1.2
!
ip route 192.168.1.2 255.255.255.255 <
Firewall 1:-
access-list vpn-R2 extended permit ip host 192.168.1.1 host 192.168.1.2
route outside 192.168.1.2 255.255.255.255 <
crypto map <
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Router 2:-
Interface loopback0
ip address 192.168.1.2 255.255.255.255 or similar IP range
!
Interface tunnel 1
ip address 172.16.1.2 255.255.255.252 or similar IP range
tunnel source loopback0
tunnel destination 192.168.1.1
!
ip route 192.168.1.1 255.255.255.255 <
Firewall 1:-
access-list vpn-R1 extended permit ip host 192.168.1.2 host 192.168.1.1
route outside 192.168.1.1 255.255.255.255 <
crypto map <
HTH
04-13-2008 07:33 AM
Hi Andrew
Have a look to the schema. R2(GRE)-> Pix1(IpSec) -> R1 (Nat) -- /\Internet\/ -- Pix2(Ipsec) -> R3 (GRE). The private ip add of Pix1 is nated from R1 to the public ip add. But i can not receive any request for ESP . I receive only for udp500 and udp 4500. I've heard in one forum that the router R1 can not nat ESP, but only tcp and udp and as a result this schema is not valuable. I must place the interface of Pix1 directly on internet without natting the ip address. Have a look of this and tell me if those are true???
04-13-2008 08:31 AM
Routers did have issues natting ESP. However you can configure IPSEC NAT Transparency on your router, with ver 12.2T:-
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html
However I think it is always good practise to have the firewall outside interface directly connected to the internet, it makes things easier in the topology and troubleshooting.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide