Workaround: Ensure IPsec tunnel is up while NAT is being used.

Workaround: Ensure IPsec tunnel is up while NAT is being used.

by Cyrus Lok on Saturday, March 6, 2010 at 10:09am
I posted this question to the ccna security study group, and toor answered my question.

Mar 5, 2010 1:27 PM in response to: toor
Re: site-to-site vpn failed… tunnels are down…Pls enlighten me.

Yes, I agree that doing the configuration in CLI makes me understand better. Haha. Thanks
Btw IPsec vpn does not seem to work well with NAT. I tested in my lab and found that extended ping can reach the peer router’s inside interface but extended ping drops when it is attempting to reach the host. The tunnel is down while NAT is enabled, and after I disabled the NAT the tunnel is up again….
So how am I going to make use of vpn to route from one site to another site using my existing broadband internet connection? How my inside local going to reach the outside local network of the remote site?

Mar 5, 2010 1:48 PM in response to: cyruslok
Re: site-to-site vpn failed… tunnels are down…Pls enlighten me.

The packets first go throught nat before checking with crypto map. This is why your crypto acl is no longer match the packets. You have to exclude your vpn traffic from being natted. you can use extended acls in your nat setup to do that. Ex:

ip access-list ext NAT_ACL

deny ip 10.0.0.0 0.0.0.255 192.168.127.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

Regards,
Toor

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s