08-26-2009 02:08 AM - edited 03-04-2019 05:51 AM
We have Cisco 7206VXR (NPE-G2), c7200p-advsecurityk9-mz.124-15.T1.bin
we have to configure ipsec tunnel to another cisco. but befor ipsec we have to translate sourse ip into another ip, which we get from our pertner.
I've tried this configuration:
ip vrf mobile
rd 1:300
route-target export 1:300
route-target import 1:300
!
ip vrf roffice
rd 1:200
route-target export 1:200
route-target import 1:200
interface GigabitEthernet0/1.5
description VPN_Outside
encapsulation dot1Q 5
ip address Ñ .Ñ .Ñ .17 255.255.255.248 # public ip - our side of ipsec tonnel
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
crypto map outside
interface GigabitEthernet0/2.11
description VPN_Mobile
encapsulation dot1Q 11
ip vrf forwarding mobile
ip address 10.31.28.137 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
crypto keyring BlackBerryNew
pre-shared-key address y.y.y.238 key MEGAPASSWORD # public ip - partner's side of ipsec tunnel
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp profile BlackBerryNew
vrf mobile
keyring BlackBerryNew
match identity address y.y.y.238 255.255.255.255
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 65535 ipsec-isakmp
set peer y.y.y.238
set transform-set ESP-AES128-SHA
set pfs group5
set isakmp-profile BlackBerryNew
match address outside_65535_cryptomap
ip route vrf mobile 10.31.50.176 255.255.255.240 x.x.x.22 global
ip access-list extended outside_65535_cryptomap
permit ip host 172.18.12.21 10.31.50.176 0.0.0.15
permit ip host 172.18.12.22 10.31.50.176 0.0.0.15
permit ip host 172.18.12.23 10.31.50.176 0.0.0.15
ip access-list extended BlackBerryNAT
permit ip host 10.31.0.61 10.31.50.176 0.0.0.15
permit ip host 10.31.0.64 10.31.50.176 0.0.0.15
permit ip host 10.31.0.223 10.31.50.176 0.0.0.15
deny ip any any
route-map BlackBerryNAT permit 10
match ip address BlackBerryNAT
ip nat inside source static 10.31.0.61 172.18.12.21 vrf mobile route-map BlackBerryNAT
ip nat inside source static 10.31.0.223 172.18.12.22 vrf mobile route-map BlackBerryNAT
ip nat inside source static 10.31.0.64 172.18.12.23 vrf mobile route-map BlackBerryNAT
but when i put "ip nat inside" on Gi0/2.11 the router fall into reboot
08-26-2009 08:17 AM
Hello Denis,
try with another IOS image like 12.4(20)T same feature set.
this looks like an issue (it may be a known bug) of current image
Edit:
I have some doubts on the outside interface configuration.
It should work if NAT is processed first and then resulting packets are examined for potential encrpytion.
you may need to use a GRE tunnel and to encrypt it to be sure about the order of operations.
The GRE tunnel can give you a L3 point where to apply ip nat outside before encryption occurs.
Hope to help
Giuseppe
08-27-2009 03:06 AM
I make it work :)
It was nessesary to add one string in route-map
now it looks like this
route-map BlackBerryNAT permit 10
match ip address BlackBerryNAT
set vrf mobile
08-27-2009 03:39 AM
Hello Denis,
good news!
the command associate to vrf mobile
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi2.html#wp1035512
interesting
Best Regards
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: