Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question on IPSec manual keying/ NAT

I have a requirement to setup an IPSec VPN between two peers using manual keying.

Network is as per the attachment;

The local peer is 10.0.1.2 but seen as 185.0.1.5 by the remote peer. 185.0.1.5 is actually assigned to a host but this device is not involved in IPSec peering with the remote peer(197.20.20.1).

18 REPLIES

Re: Question on IPSec manual keying/ NAT

based on ur tpology adding the following command

ip nat inside source static esp 10.0.1.2 185.0.1.5

ip nat inside source static udp 10.0.1.2 500 185.0.1.5 500

so R1 will make static maping with regard to the two protocols here udp 500 (isakmp) and esp

when the remote host start the vpn connection to the 185.0.1.5

the command above allows the translation of ISAKMP traffic (UDP port 500) and esp to the specified inside local address

hop this answered your question

rate if helpful please

New Member

Re: Question on IPSec manual keying/ NAT

Hi Marwan,

First of all,

ip nat inside source static esp {ip} {ip}

is not supported,

but

ip nat inside source static esp {ip} {interface}

I've tested this using c2800nm-spservicesk9-mz.124-3f.

I'm wondering how to realize it with the interface option

Any suggestions please?

New Member

Re: Question on IPSec manual keying/ NAT

I tried something like this,

ip nat inside source static 10.0.1.2 185.0.1.5 route-map TEST reversible

route-map TEST permit

match ip address 101

access-list 101 permit esp host 10.0.1.2 host 197.20.20.1

Also I've applied,

ip nat inside on 10.0.1.2 connecting interface and

ip nat outside on interface connecting to the remote peer.

In my opnion udp 500 is not required in this case (Manual Keying).

What do you think about this?

Thanks for your comments and suggestions.

Re: Question on IPSec manual keying/ NAT

why u doing it like this long

just nating as i told u

without route map easier to config and to troubleshoot

this is a complete example will help u alot just follow the concepts and config then let me know

Interface s2/0 is the NAT inside address

!

interface Serial2/0

ip address 10.10.10.2 255.255.255.0

ip nat inside

!

!

! Interface serial 2/1 is the NAT outside address

!

interface Serial2/1

ip address 192.168.3.1 255.255.255.0

ip nat outside

!

!

! The static translations here allows the Berlin gateway to initiate IPsec

! connections to the London gateway.

!

ip nat inside source list 10 interface Serial2/1 overload

ip nat inside source static esp 10.10.10.1 interface Serial2/1

ip nat inside source static udp 10.10.10.1 500 interface Serial2/1 500

!

access-list 10 permit 10.10.10.0 0.0.0.255

good luck

New Member

Re: Question on IPSec manual keying/ NAT

Thanks for sharing an example Marwan.

If the interface command option is applied it will simply take the IP of the outside interface as the local peer, right?

If you have a closer look into my scenario, you'd see that I need it to take the IP of an inside host connecting to a 3rd interface, instead.

Have I overlooked something here?

Re: Question on IPSec manual keying/ NAT

ok no problem

it is right should be interface

bu i have put it like this to make easier for understanding

what u mean how realize it ?

when you put interface and the interface type/number

it will consider the ip address configured on that interface

so if your ouside interface configured with 10.0.1.1 so it will be mapped from 10.0.1.1 to the other ip in the nat statment

New Member

Re: Question on IPSec manual keying/ NAT

I don't think we could achieve this with the interface option.

Re: Question on IPSec manual keying/ NAT

then why u dont use ur outside interface?

also try the following but i am not sure

lets say the outsid einterface of the remote router 2.2.2.2

access-list 100 permit ip host 2.2.2.2 host (the destination ip u want)

route-map map1 permit 10

match ip address 100

set ip next-hop 10.0.1.2

then apply this with policy-map statement on the outside interface

again never tried it with IPsec

good luck

New Member

Re: Question on IPSec manual keying/ NAT

The NAT with route-map(I posted previously) works for locally originated (interesting) traffic.

However when the remote side initiates the tunnel it does not seem to come up. What you've proposed with your route map may be used in this case.

But I'm not sure whether you could run ip nat outside and ip policy route-map on the same outside interface to control outbound and inbound traffic respectively.

Re: Question on IPSec manual keying/ NAT

i am stil wondring why u dont use ur external interface as the termination point for vpn

which is the best practice and will solve ur problem !!!!

New Member

Re: Question on IPSec manual keying/ NAT

No, Marwan as I said this was encountered during a network migration process which has to be performed without any intervention by the remote party.

Actually the current peer is 185.0.1.5, if you consider the scenario. So the idea is to change it with a different peer device, pretending it to be the same in IP network layer. That's why the new device 10.0.1.2 is there acting as 185.0.1.5 to the remote peer.

I understand your point very clearly. However in my opinion, this is where we need to have ideas and workarounds to cope with such situations.

What I have realized is a NAT route-map with Outside-to-Inside support;

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnato2n.html#wp1046681

The feature design says that an initial session from inside-to-outside is required to trigger this NAT translation(This is exactly what I see with my setup).

However, practically in my case the tunnel needs to be initiated by the remote-side as well.

This can be accomplished relatively easily with Posix/Iptables and hoping it would be the case with Cisco too.

New Member

Re: Question on IPSec manual keying/ NAT

Hi,

Any suggestions with regard to remote peer initiated IPSec tunnel deployments please?

I am unable to get it working with route-map for ESP traffic.

Thanks for your thoughts and time.

Re: Question on IPSec manual keying/ NAT

why you cannot use just simple

ip nat inside source static ip 10.0.1.2 185.0.1.5

?

Re: Question on IPSec manual keying/ NAT

thats what i have been mentioning either static nat

or static pat (port forward)

ip nat inside source static ip 10.0.1.2 185.0.1.5

or

ip nat inside source static esp 10.0.1.2 185.0.1.5

ip nat inside source static udp 10.0.1.2 500 185.0.1.5 500

this will simply map any connection to 10.0.1.5 to 10.0.1.2

for the first command

with the second two command u gonna map only vpn

ur case maping matter

in other words NATING

New Member

Re: Question on IPSec manual keying/ NAT

We are going back to our previous discussion, I guess.

If we take ip nat inside source static we have {A.B.C.D},esp, network,tcp and udp as options.

Here we have a specific option for esp where you could specify only an "interface".

That is one thing.

And.. to answer Aleksey's question:

I'm trying to do kind of IP spoofing here;

I'm using 10.0.1.2(consider it is connected via FE0/1 of R1) to setup IPSec peering with a remote peer but pretending that it is from 185.0.1.5 (connected via FE0/0).

However my nat inside interface is FE0/1 (10.0.1.1) and nat outside interface is FE1/0(outside interface).

In this case, would simple ip nat inside source static {ip} {ip} work ?

I've tried that unsuccessfully anyway.

Have I missed anything?

Thanks for your time already.

Re: Question on IPSec manual keying/ NAT

New Member

Re: Question on IPSec manual keying/ NAT

It is a case related to IPSec manual keying.

I could get it working only in one way with,

ip nat inside source static {ip} {ip} route-map name reversible for ESP traffic, but a simple nat as you've suggested.

New Member

Re: Question on IPSec manual keying/ NAT

Hi,

According the example you've sent it is,

ip nat inside source static esp 172.16.1.2 interface Serial1/0 for ESP traffic.

However, this doesn't work for me as my architecture is different. So is the requirement. Hope it's clear.

267
Views
0
Helpful
18
Replies