Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
4
Replies

1841 to 3030 IPSec tunnel, no connectivity

Go to solution
pondersean
Level 1
Level 1

‎10-04-2007 12:51 PM - edited ‎02-21-2020 03:18 PM

Hello everyone,

I have a Cisco 1841 router with Adv Sec package on it and need to set up a static IPSec tunnel to a Cisco 3030 concentrator. The trick is that the interesting traffic has to be NAT'd through a different IP than the interface IP.

So the peering must happen on x.x.x.34, but encrypted traffic from me must come from x.x.x.35. This is a requirement of the office that I am connecting to. I've set up tunnels before, but never with this type of requirement.

What is the best way to accomplish this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-07-2007 10:14 AM

Hi Sean

local network at 1841 end: 192.168.5.0/24

remote network at 3030 end: 172.16.5.0/24

on 1841

int loopback10

ip address x.x.x.35

access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255

ip nat inside source list 101 interface loopback10 overload

Obviously in your crypto map access-list you need to use the Natted address ie.

access-list 102 permit ip host x.x.x.35 172.16.5.0 0.0.0.255

HTH

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-07-2007 10:14 AM

Hi Sean

local network at 1841 end: 192.168.5.0/24

remote network at 3030 end: 172.16.5.0/24

on 1841

int loopback10

ip address x.x.x.35

access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255

ip nat inside source list 101 interface loopback10 overload

Obviously in your crypto map access-list you need to use the Natted address ie.

access-list 102 permit ip host x.x.x.35 172.16.5.0 0.0.0.255

HTH

Jon

0 Helpful

Go to solution
pondersean
Level 1
Level 1
In response to Jon Marshall

‎10-08-2007 08:38 AM

Jon, thanks very much for your post! The problem I run into (I tried creating a virtual interface before) is that the two interfaces are now on the same subnet, which the router doesn't like.

So Fast0/0 is xx.xx.xx.34 and Loopback10 is xx.xx.xx.35. Which clearly won't work. And I can't define a sub-interface on FE0/0 that isn't ISL or similar trunking.

Is there a way to get around the IP address conflict?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to pondersean

‎10-08-2007 10:03 AM

Hi

router(config)# ip nat pool NATPOOL prefix-length 32

router(config-ipnat-pool)# address x.x.x.35 x.x.x.35

ip nat inside source list 101 pool NATPOOL

HTH

Jon

0 Helpful

Go to solution
pondersean
Level 1
Level 1
In response to Jon Marshall

‎10-09-2007 08:58 AM

Jon, thank you very much for your help. The tunnel is up and talking, I really appreciate your assistance.

-Sean

0 Helpful
Customers Also Viewed These Support Documents