We are using 3845 router with 2 eth ports for IPSEC tunnel formation. Traffic arrives or leaves from Gig0/0 is enrypted. Crypto map is applied on gig0/0. (Traffic defined by Access-lists.) Then traffic is routed to Giga0/1 for further routing. This is working ok.
But now we are facing a problem as we are required to do Dest-NAT on these packets. When packets are arrived on Giga0/0 those should be decrypted first and then those should be Dest-Nated. That is after decryption has taken place we will replace the destination address in the packet and then route those packets to gig0/1. When the reply will come to these packets router shoud first do the nating and then encrypt and then route those out from Giga 0/0.
If the sequence is correct then only those packets will be encrypted.
As the packets to be encrypted or decrypted is decided by access-list. And all access lists are configured with existing IP addressing sceme it is not possible to change. So we have come up to new option of NAT. In short it will look like following
packet coming from outside world with destination as A.b.C.D is received on Gigi0/0 --> as per access list it matches the ip address Destination A.B.C.D then it is de-crypted. ----> then sent to Gigi0/1 for further routing. This is ok.
What we are looking for is some thing like this.
Packet comes from world with destination address A.B.C.D , it is received on Giga 0/0 ---> Access list is matched so a packet is decrypted ---> now change Destination IP address pf packet from A.B.C.D to new IP address as P.Q.R.S and then route it to Giga 0/1 for further routing. Similar when packet is coming back ( source and destination address swapped ) on Giga 0/1 ---> Replace Source Address by A.B.C.D --> Then this packet will match access-list and then it will be encrypted and will be sent from where is came from i.e to giga0/0. So in all this preference is important. if ip nat inside or outside are applied on interfaces and also crypto map is applied on Gig 0/0 which will take preference or can we configure it as the way we what.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...