04-19-2008 10:05 AM
Hi all,
Situation:
Two sites both with a router connected to Internet.
My client wants to have on each site another router behind the respective Internet router.
A IPSec/VPN connection has to be built between the two routers (871s) behind the Internet routers.
Is this possible? And if so how ?
Thanks for your help
Jaap Laaij
Netherlands
04-19-2008 10:58 AM
Jaap,
If your client has a spare public address on both Internet router subnet that you can use, you might want to try 1-to-1 NAT that traslates your FA4 IPs to a 81.x.x.x and 83.x.x.x IP. Specify the far end public IP as your IPSEC peer and build a site-to-site tunnel.
04-19-2008 10:56 PM
Hi Carl,
Thanks for your reply.
The problem is that my client doesn't have spare public addresses. The addresses that he has are also leased.
However if he did, how do you 'push' the spare public address to F4 WAN port of the router (870)behind the internet router? How do you tell the internet router that the incoming public addres belongs to the 870 router?
Is there any other way to get around this?
Thanks,
Jaap
04-20-2008 03:38 PM
Jaap,
It CAN be done without spare IP address.
On both Internet routers, do this:
ip nat inside source static udp 192.168.0.101 500 interface F0/0 500
ip nat inside source static udp 192.168.0.101 4500 interface F0/0 4500
ip nat inside source static esp 192.168.0.101 interface F0/0
interface F0/0
description Internet Facing
ip address 81.x.x.x
ip nat outside
interface F0/1
description RFC1918
ip address 192.168.0.101
ip nat inside
on the router behind the 81.x.x.x router:
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
crypto isakmp key cciesec address 83.x.x.x no-xauth
crypto isakmp pol 1
auth pre
encr 3des
hash sha
group 2
life 86400
crypto ipsec trans 3des esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 83.x.x.x
set trans 3des
match address 101
inteface F4
ip address 192.168.0.101
crypto map vpn
on the router behind the 83.x.x.x router:
access-list 101 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto isakmp key cciesec address 81.x.x.x no-xauth
crypto isakmp pol 1
auth pre
encr 3des
hash sha
group 2
life 86400
crypto ipsec trans 3des esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 83.x.x.x
set trans 3des
match address 101
inteface F4
ip address 192.168.0.101
crypto map vpn
This way, when isakmp, NAT-T and ESP traffics
hit the 81.x.x.x or 83.x.x.x IP address,
it will be translated to 192.168.0.101 and
it will work. I do this all the times.
This works on both IOS 12.2(15)T17 and ISO 12.3(24a)
CCIE Security
04-23-2008 11:44 AM
Hi Cisco,
Thanx voor the config.
I wil use it.
Jaap
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide