07-29-2002 04:29 AM - edited 02-21-2020 11:57 AM
Hello,
Is there any subtle configuration issues to be considered, when implementing NAT OVER IPSEC thrugh GRE tunelling in a site to site VPN scenario. Typically, i could not prevent nat translation; However, i configured route map to prevent translation.
This is the translation I would like to prevent,
"
NAT: s=210.212.235.177-> 210.212.240.180, d=210.212.230.177 [25154]
"
Scenario:
192.168.100.x LAN
E0/0 of ro-3620 ->
ro-3620-> s0/1 of 3620
serial 0 <- ro-2516 -> serial 1
serila 2/0:0 <- ro-7206- >192.168.200.x LAN
of 7206
config:
ro-3620#sh ru
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ro-3620
!
enable secret 5 $1$urmu$xVnvp7p5YbDSjZhJskNJY/
!
username admin password 7 0822455D0A16
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 210.212.230.177
!
!
crypto ipsec transform-set auth2 esp-des esp-md5-hmac
!
!
crypto map test 10 ipsec-isakmp
set peer 210.212.230.177
set transform-set auth2
match address 101
!
!
controller E1 1/0
!
controller E1 1/1
!
!
process-max-time 200
!
interface Tunnel0
ip address 5.5.5.1 255.255.255.0
no ip directed-broadcast
tunnel source Serial0/1
tunnel destination 210.212.230.177
crypto map test
!
interface Ethernet0/0
ip address 192.168.100.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/0
no ip address
no ip directed-broadcast
!
interface Serial0/1
description ***** Gateway to 2511.130 *****
ip address 210.212.235.177 255.255.255.252
no ip directed-broadcast
ip nat outside
crypto map test
!
interface Async65
ip unnumbered Ethernet0/0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address 202.54.66.135
ppp authentication pap
!
ip nat pool rtp 210.212.240.180 210.212.240.190 prefix-length 28
ip nat inside source route-map nonat pool rtp overload
ip nat inside source static 192.168.200.1 210.212.240.177
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1
ip route 192.168.200.0 255.255.255.0 5.5.5.2
no ip http server
!
access-list 101 permit gre host 210.212.235.177 host 210.212.230.177
access-list 102 deny gre host 210.212.235.177 host 210.212.230.177
access-list 102 permit ip any any
route-map nonat permit 10
match ip address 102
!
!
line con 0
transport input none
line aux 0
autoselect during-login
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
speed 115200
flowcontrol hardware
line vty 0 4
password 7 045802150C2E
login
!
!
end
07-29-2002 05:59 AM
Here is a sample config you can use as a template of what you are trying to acheive;
http://www.cisco.com/warp/customer/707/quicktip.html
HTH
R/Yusuf
07-29-2002 09:22 PM
Thanks. But I'm wondering how my IOS of version 12.0 & 12.2 not supporting "ip inspect" command. Any commands need to enable CBAC ?, if so pls. let me know. My IOS versions are
7206 router: c7200-ik2s-mz.121-7.bin
3620 Rouetr: 3620-ik2s-mz.120-5XK1.bin
Can you help me out !!!
07-29-2002 11:14 PM
Great thanks for the URL. It seems i should 've Enterprise IOS version to support CBAC, right now i 've IP Plus. Pls. do confirm my statement. Yusuf !! If you don't mind shall I contact you for any technical help (hopefully not affecting your productivity).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide