Re: NAT_GRE_IPSEC ??

dinekal · ‎07-29-2002

Hello,

Is there any subtle configuration issues to be considered, when implementing NAT OVER IPSEC thrugh GRE tunelling in a site to site VPN scenario. Typically, i could not prevent nat translation; However, i configured route map to prevent translation.

This is the translation I would like to prevent,

"

NAT: s=210.212.235.177-> 210.212.240.180, d=210.212.230.177 [25154]

"

Scenario:

192.168.100.x LAN

E0/0 of ro-3620 ->

ro-3620-> s0/1 of 3620

serial 0 <- ro-2516 -> serial 1

serila 2/0:0 <- ro-7206- >192.168.200.x LAN

of 7206

config:

ro-3620#sh ru

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ro-3620

!

enable secret 5 $1$urmu$xVnvp7p5YbDSjZhJskNJY/

!

username admin password 7 0822455D0A16

!

memory-size iomem 15

ip subnet-zero

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 210.212.230.177

!

crypto ipsec transform-set auth2 esp-des esp-md5-hmac

!

crypto map test 10 ipsec-isakmp

set peer 210.212.230.177

set transform-set auth2

match address 101

!

controller E1 1/0

!

controller E1 1/1

!

process-max-time 200

!

interface Tunnel0

ip address 5.5.5.1 255.255.255.0

no ip directed-broadcast

tunnel source Serial0/1

tunnel destination 210.212.230.177

crypto map test

!

interface Ethernet0/0

ip address 192.168.100.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Serial0/0

no ip address

no ip directed-broadcast

!

interface Serial0/1

description ***** Gateway to 2511.130 *****

ip address 210.212.235.177 255.255.255.252

no ip directed-broadcast

ip nat outside

crypto map test

!

interface Async65

ip unnumbered Ethernet0/0

no ip directed-broadcast

encapsulation ppp

async mode interactive

peer default ip address 202.54.66.135

ppp authentication pap

!

ip nat pool rtp 210.212.240.180 210.212.240.190 prefix-length 28

ip nat inside source route-map nonat pool rtp overload

ip nat inside source static 192.168.200.1 210.212.240.177

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/1

ip route 192.168.200.0 255.255.255.0 5.5.5.2

no ip http server

!

access-list 101 permit gre host 210.212.235.177 host 210.212.230.177

access-list 102 deny gre host 210.212.235.177 host 210.212.230.177

access-list 102 permit ip any any

route-map nonat permit 10

match ip address 102

!

line con 0

transport input none

line aux 0

autoselect during-login

autoselect ppp

login local

modem InOut

modem autoconfigure discovery

transport preferred none

transport input all

speed 115200

flowcontrol hardware

line vty 0 4

password 7 045802150C2E

login

!

end

yusuff · ‎07-29-2002

Here is a sample config you can use as a template of what you are trying to acheive;

http://www.cisco.com/warp/customer/707/quicktip.html

HTH

R/Yusuf

dinekal · ‎07-29-2002

Thanks. But I'm wondering how my IOS of version 12.0 & 12.2 not supporting "ip inspect" command. Any commands need to enable CBAC ?, if so pls. let me know. My IOS versions are

7206 router: c7200-ik2s-mz.121-7.bin

3620 Rouetr: 3620-ik2s-mz.120-5XK1.bin

Can you help me out !!!

dinekal · ‎07-29-2002

Great thanks for the URL. It seems i should 've Enterprise IOS version to support CBAC, right now i 've IP Plus. Pls. do confirm my statement. Yusuf !! If you don't mind shall I contact you for any technical help (hopefully not affecting your productivity).