• disclaimer
  • about-us

    • What is IPsec NAT Exemption? How to configure IPsec tunnel with NAT Exempt?

     IPsec NAT Exemption


    NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. 


    Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.


    The nature of NAT and IPsec is different, NAT manipulates an IP packet and IPsec preserves the IP packets. IPsec does not work with NAT. we have to exclude (bypass NAT) the traffic to be encrypted from the NAT operation. Nat must not occur for proper IPsec network communication but NAT should be for inside hosts in order to access the internet. 


    NAT exemption is a method that excludes traffic from being translated with NAT. NAT exemption is preferred when bypassing traffic flowing over a VPN tunnel.

    R1(config)#ip access-list extended NAT-TRAFFIC

    R1(config-ext-nacl)#5 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

    NAT exemption is usually used in the following scenarios: 

    Legacy policy-based IPsec VPNs

    Remote access VPNs

    Site-to-site VPN tunnels

    When we have a lot of VPN tunnels with customers and we don't want to conflict with IPs on their network


    let's see the configuration for a better understanding:


    topology:-



    Goal:
    1. First, configure the IP addresses as per the topology above 
    2. Configure the default route and static routes
    3. verify the Default and static routing with ping from pc 192.168.10.2 to 192.168.30.2 and vice versa 
    4. enable crypto isakmp on both sites
    5. configure extended ACL to tell the router which traffic is to encrypt.
    6. configure Crypto isakmp policy on both sites
    7. configure the crypto key on both sites make sure its identical 
    8. configure IPsec transform-set name will be IPsec-tunnel for both sites
    9. configure IPsec security association timer 1800 on both sites 
    10. configure crypto map name of the map will be map on both sites
    11. apply the crypto map on interface serial 4/0 on router 1 and serial 4/1 on router 2


    First configure the IP addresses as per the topology above 


    R1(config)#interface fastEthernet 0/0
    R1(config-if)#ip address 192.168.10.1 255.255.255.0
    R1(config-if)#no shutdown
    R1(config-if)#exit

    R1(config)#interface fastEthernet 1/0
    R1(config-if)#ip address 192.168.20.1 255.255.255.0
    R1(config-if)#no shutdown
    R1(config-if)#exit

    R1(config)#interface serial 4/0
    R1(config-if)#ip address 192.168.1.1 255.255.255.0
    R1(config-if)#no shutdown
    R1(config-if)#exit

    R1(config)#do show ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0            192.168.10.1    YES manual up                    up
    FastEthernet1/0            192.168.20.1    YES manual up                    up
    Serial4/0                  192.168.1.1     YES manual up                    up

                 .....................................................................................................................


    R2(config)#interface fastEthernet 0/0
    R2(config-if)#ip address 100.100.100.2 255.255.255.0
    R2(config-if)#no shutdown
    R2(config-if)#exit

    R2(config)#interface serial 4/0
    R2(config-if)#ip address 192.168.1.2 255.255.255.0
    R2(config-if)#no shutdown
    R2(config-if)#exit

    R2(config-if)#interface serial 4/1
    R2(config-if)#ip address 192.168.3.2 255.255.255.0
    R2(config-if)#no shutdown
    R2(config-if)#exit



    R2#show ip interface brief
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0       100.100.100.2   YES manual up                    up
    Serial4/0                  192.168.1.2     YES manual up                    up
    Serial4/1                  192.168.3.2     YES manual up                    up

                    .......................................................................................................................

    R3(config)#interface fastEthernet 0/0
    R3(config-if)#interface fastEthernet 0/0
    R3(config-if)#ip address 192.168.30.1 255.255.255.0
    R3(config-if)#no shutdown
    R3(config-if)#exit

    R3(config)#interface fastEthernet 1/0
    R3(config-if)#ip address 192.168.40.1 255.255.255.0
    R3(config-if)#no shutdown
    R3(config-if)#exit

    R3(config)#interface serial 4/1
    R3(config-if)#ip address 192.168.3.1 255.255.255.0
    R3(config-if)#no shutdown
    R3(config-if)#exit



    R3(config)#do show ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0            192.168.30.1    YES manual up                    up
    FastEthernet1/0            192.168.40.1    YES manual up                    up
    Serial4/1                       192.168.3.1     YES manual up                    up


                         .......................................................................................



    server (pc)> show ip

    NAME        : server (pc)
    IP/MASK     : 100.100.100.1/24
    GATEWAY     : 100.100.100.2
    DNS         :
    MAC         : 00:50:79:66:68:00
    LPORT       : 10048
    RHOST:PORT  : 127.0.0.1:10049
    MTU:        : 1500


    PC2> show ip

    NAME        : PC2[1]
    IP/MASK     : 192.168.10.2/24
    GATEWAY     : 192.168.10.1
    DNS         :
    MAC         : 00:50:79:66:68:01
    LPORT       : 10050
    RHOST:PORT  : 127.0.0.1:10051
    MTU:        : 1500


    PC6> show ip

    NAME        : PC6[1]
    IP/MASK     : 192.168.30.2/24
    GATEWAY     : 192.168.30.1
    DNS         :
    MAC         : 00:50:79:66:68:03
    LPORT       : 10054
    RHOST:PORT  : 127.0.0.1:10055
    MTU:        : 1500

    verify the Default and static routing with ping from pc 192.168.10.2 to 192.168.30.2 and vice versa 


    PC2> show ip
    NAME        : PC2[1]
    IP/MASK     : 192.168.10.2/24
    GATEWAY     : 192.168.10.1
    DNS         :
    MAC         : 00:50:79:66:68:01
    LPORT       : 10050
    RHOST:PORT  : 127.0.0.1:10051
    MTU:        : 1500

    PC2> ping 192.168.30.2
    84 bytes from 192.168.30.2 icmp_seq=1 ttl=62 time=90.305 ms
    84 bytes from 192.168.30.2 icmp_seq=2 ttl=62 time=90.064 ms
    84 bytes from 192.168.30.2 icmp_seq=3 ttl=62 time=90.262 ms
    84 bytes from 192.168.30.2 icmp_seq=4 ttl=62 time=90.758 ms
    84 bytes from 192.168.30.2 icmp_seq=5 ttl=62 time=91.022 ms

     PC6> show ip
    NAME        : PC6[1]
    IP/MASK     : 192.168.30.2/24
    GATEWAY     : 192.168.30.1
    DNS         :
    MAC         : 00:50:79:66:68:03
    LPORT       : 10054
    RHOST:PORT  : 127.0.0.1:10055
    MTU:        : 1500

    PC6> ping 192.168.10.2
    84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=91.472 ms
    84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=91.446 ms
    84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=91.430 ms
    84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=91.040 ms
    84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=90.697 ms


     

    Configure the default route and static routes

     



    R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

    R1#show ip route

    Gateway of last resort is 192.168.1.2 to network 0.0.0.0

    C    192.168.10.0/24 is directly connected, FastEthernet0/0
    C    192.168.20.0/24 is directly connected, FastEthernet1/0
    C    192.168.1.0/24 is directly connected, Serial4/0
    S*   0.0.0.0/0 [1/0] via 192.168.1.2



    R2(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
    R2(config)#ip route 192.168.20.0 255.255.255.0 192.168.1.1
    R2(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
    R2(config)#ip route 192.168.40.0 255.255.255.0 192.168.3.1

    R2#show ip route static
    S    192.168.30.0/24 [1/0] via 192.168.3.1
    S    192.168.10.0/24 [1/0] via 192.168.1.1
    S    192.168.40.0/24 [1/0] via 192.168.3.1
    S    192.168.20.0/24 [1/0] via 192.168.1.1


    R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
    R3(config)#end

    R3#show ip route static
    S*   0.0.0.0/0 [1/0] via 192.168.3.2




    enable crypto isakmp on both sites


    R1(config)#crypto isakmp enable
    R3(config)#crypto isakmp enable


    configure extended ACL to tell the router which traffic is to encrypt. 


    R1(config)#ip access-list extended interest-traffic
    R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
    R1(config-ext-nacl)#exit

    R1#show access-lists
    Extended IP access list interest-traffic
        10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (436 matches)


    R3(config)#ip access-list extended interest-traffic
    R3(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
    R3(config-ext-nacl)#exit

    R3#show access-lists
    Extended IP access list interest-traffic
        10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 



    configure Crypto isakmp policy on both sites



    R1(config)#crypto isakmp policy ?
      <1-10000>  Priority of protection suite

    R1(config)#crypto isakmp policy 100
    R1(config-isakmp)#authentication pre-share
    R1(config-isakmp)#encryption aes 256
    R1(config-isakmp)#hash sha
    R1(config-isakmp)#group 5
    R1(config-isakmp)#lifetime 3600
    R1(config-isakmp)#exit
    R1(config)#end

    R1#show crypto isakmp policy

    Global IKE policy
    Protection suite of priority 100
            encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
            hash algorithm:         Secure Hash Standard
            authentication method:  Pre-Shared Key
            Diffie-Hellman group:   #5 (1536 bit)
            lifetime:               3600 seconds, no volume limit



    R3(config)#crypto isakmp policy ?
      <1-10000>  Priority of protection suite

    R3(config)#crypto isakmp policy 100
    R3(config-isakmp)#authentication pre-share
    R3(config-isakmp)#encryption aes 256
    R3(config-isakmp)#hash sha
    R3(config-isakmp)#group 5
    R3(config-isakmp)#lifetime 3600
    R3(config-isakmp)#exit
    R3(config)#end






    configure the crypto key on both sites make sure its identical 

    R1(config)#crypto isakmp key 6 internetworks address 192.168.3.1

    R3(config)#crypto isakmp key 6 internetworks address 192.168.1.1

     R3#show crypto isakmp key
    Keyring      Hostname/Address                            Preshared Key
    default      192.168.1.1                                 (encrypted)

    configure IPsec transform-set name will be ipsec-tunnel for both sites


    R1(config)#crypto ipsec transform-set ipsec-tunnel esp-aes 256 esp-sha-hmac

    R1#show crypto ipsec transform-set ipsec-tunnel
    Transform set ipsec-tunnel: { esp-256-aes esp-sha-hmac  }
       will negotiate = { Tunnel,  },


    R2(config)#crypto ipsec transform-set ipsec-tunnel esp-aes 256 esp-sha-hmac

    R3#show crypto ipsec transform-set ipsec-tunnel
    Transform set ipsec-tunnel: { esp-256-aes esp-sha-hmac  }
       will negotiate = { Tunnel,  },



    configure IPsec security association timer 1800 on both sites 

     

    R1(config)#crypto ipsec security-association lifetime seconds 1800
    R2(config)#crypto ipsec security-association lifetime seconds 1800

    R1#show crypto ipsec security-association lifetime
    Security association lifetime: 4608000 kilobytes/1800 seconds

    R2#show crypto ipsec security-association lifetime
    Security association lifetime: 4608000 kilobytes/1800 seconds


    configure crypto map name of the map will be map on both sites


    R1(config)#crypto map map 100 ipsec-isakmp
    % NOTE: This new crypto map will remain disabled until a peer
            and a valid access list have been configured.
    R1(config-crypto-map)#match address interest-traffic
    R1(config-crypto-map)#set peer 192.168.3.1
    R1(config-crypto-map)#set transform-set ipsec-tunnel
    R1(config-crypto-map)#exit










    \

    *Oct 18 20:35:35.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


    R3(config)#crypto map map 100 ipsec-isakmp
    % NOTE: This new crypto map will remain disabled until a peer
            and a valid access list have been configured.
    R3(config-crypto-map)#match address interest-traffic
    R3(config-crypto-map)#set peer 192.168.1.1
    R3(config-crypto-map)#set transform-set ipsec-tunnel
    R3(config-crypto-map)#exit

    R3#show crypto map
    Crypto Map "map" 100 ipsec-isakmp
            Peer = 192.168.1.1
            Extended IP access list interest-traffic
                access-list interest-traffic permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            Current peer: 192.168.1.1
            Security association lifetime: 4608000 kilobytes/1800 seconds
            Responder-Only (Y/N): N
            PFS (Y/N): N
            Transform sets={
                    ipsec-tunnel:  { esp-256-aes esp-sha-hmac  } ,
            }
            Interfaces using crypto map map:
                    Serial4/1


    *Oct 18 20:35:35.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


    apply the crypto map on interface serial 4/0 on router 1 and serial 4/1 on router 2


    R1(config-if)#crypto map map
    R1(config-if)#exit

    R1#show crypto map interface serial 4/0
    Crypto Map "map" 100 ipsec-isakmp
            Peer = 192.168.3.1
            Extended IP access list interest-traffic
                access-list interest-traffic permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
            Current peer: 192.168.3.1
            Security association lifetime: 4608000 kilobytes/1800 seconds
            Responder-Only (Y/N): N
            PFS (Y/N): N
            Transform sets={
                    ipsec-tunnel:  { esp-256-aes esp-sha-hmac  } ,
            }
            Interfaces using crypto map map:
                    Serial4/0



    R3(config-if)#crypto map map
    R3(config-if)#exit






    now send the ICMP ping packets from PC2 192.168.10.2 to PC6 192.168.20.2 and make sure the data must be encrypt, encapsualte by IPsec.


    R1#show crypto ipsec sa
    interface: Serial4/0
        Crypto map tag: map, local addr 192.168.1.1
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
       current_peer 192.168.3.1 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
         path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none

    R1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA

     

    as of now no packet is encrypt let's send some packets. 

    from pc2


     PC6> show ip
    NAME        : PC6[1]
    IP/MASK     : 192.168.30.2/24
    GATEWAY     : 192.168.30.1
    DNS         :
    MAC         : 00:50:79:66:68:03
    LPORT       : 10054
    RHOST:PORT  : 127.0.0.1:10055
    MTU:        : 1500

    PC6> ping 192.168.10.2
    192.168.10.2 icmp_seq=1 timeout
    192.168.10.2 icmp_seq=2 timeout
    84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=134.144 ms
    84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=94.150 ms
    84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=105.917 ms

    PC6> ping 192.168.10.2
    84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=98.854 ms
    84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=92.000 ms
    84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=118.293 ms
    84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=123.813 ms
    84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=93.092 ms

    R3#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    192.168.3.1     192.168.1.1     QM_IDLE           1004 ACTIVE
    IPv6 Crypto ISAKMP SA

    R1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    192.168.3.1     192.168.1.1     QM_IDLE           1004 ACTIVE
    IPv6 Crypto ISAKMP SA




    R3#show crypto ipsec sa

    interface: Serial4/1
        Crypto map tag: map, local addr 192.168.3.1

       protected vrf: (none)
       local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
       current_peer 192.168.1.1 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 266, #pkts encrypt: 266, #pkts digest: 266
        #pkts decaps: 265, #pkts decrypt: 265, #pkts verify: 265
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 1, #recv errors 0

         local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
         path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
         current outbound spi: 0x4B17CB78(1259850616)
         PFS (Y/N): N, DH group: none

         inbound esp sas:
          spi: 0x207351FF(544428543)
            transform: esp-256-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 15, flow_id: SW:15, sibling_flags 80000046, crypto map: map
            sa timing: remaining key lifetime (k/sec): (4458065/61)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE
          spi: 0x4E7BC766(1316734822)
            transform: esp-256-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 17, flow_id: SW:17, sibling_flags 80000046, crypto map: map
            sa timing: remaining key lifetime (k/sec): (4601703/1796)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE

         inbound ah sas:

         inbound pcp sas:

       

    now lets configure NAT on both sites first configure the ACL extended

    R1(config)#ip  access-list extended NAT-TRAFFIC
    R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
    R1(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 any
    R1(config-ext-nacl)#exit

    R1#show access-lists
    Extended IP access list NAT-TRAFFIC
        10 permit ip 192.168.10.0 0.0.0.255 any
        20 permit ip 192.168.20.0 0.0.0.255 any
    Extended IP access list interest-traffic
        10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (534 matches)


     R3(config)#ip access-list extended NAT-TRAFFIC
    R3(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any
    R3(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 any
    R3(config-ext-nacl)#exit

    R3#show access-lists
    Extended IP access list NAT-TRAFFIC
        10 permit ip 192.168.30.0 0.0.0.255 any
        20 permit ip 192.168.40.0 0.0.0.255 any
    Extended IP access list interest-traffic
        10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (532 matches)



    now configure NAT overload on boths routers serial interface.

    R1(config)#ip nat inside source list NAT-TRAFFIC interface serial 4/0 overload
    R1(config)#exit

    R3(config)#ip nat inside source list NAT-TRAFFIC interface serial 4/1 overload
    R3(config)#exit


    R1(config)#interface fastEthernet 0/0
    R1(config-if)#ip nat inside
    R1(config-if)#exit

    R1(config)#interface serial 4/0
    R1(config-if)#ip nat outside
    R1(config-if)#exit


    R3(config)#interface fastEthernet 0/0
    R3(config-if)#ip nat inside
    R3(config-if)#exit

    R3(config)#interface serial 4/1
    R3(config-if)#ip nat outside
    R3(config-if)#exit


    now send some ICMP packets from PC2 to Server 





    PC2> ping 100.100.100.1
    84 bytes from 100.100.100.1 icmp_seq=1 ttl=62 time=125.825 ms
    84 bytes from 100.100.100.1 icmp_seq=2 ttl=62 time=72.721 ms
    84 bytes from 100.100.100.1 icmp_seq=3 ttl=62 time=155.640 ms
    84 bytes from 100.100.100.1 icmp_seq=4 ttl=62 time=152.201 ms
    84 bytes from 100.100.100.1 icmp_seq=5 ttl=62 time=64.047 ms


    R1#show ip nat translations
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 192.168.1.1:36691 192.168.10.2:36691 100.100.100.1:36691 100.100.100.1:36691
    icmp 192.168.1.1:37203 192.168.10.2:37203 100.100.100.1:37203 100.100.100.1:37203
    icmp 192.168.1.1:37715 192.168.10.2:37715 100.100.100.1:37715 100.100.100.1:37715
    icmp 192.168.1.1:37971 192.168.10.2:37971 100.100.100.1:37971 100.100.100.1:37971
    icmp 192.168.1.1:38227 192.168.10.2:38227 100.100.100.1:38227 100.100.100.1:38227
    icmp 192.168.1.1:42323 192.168.10.2:42323 100.100.100.1:42323 100.100.100.1:42323
    icmp 192.168.1.1:42579 192.168.10.2:42579 100.100.100.1:42579 100.100.100.1:42579
    icmp 192.168.1.1:42835 192.168.10.2:42835 100.100.100.1:42835 100.100.100.1:42835
    icmp 192.168.1.1:43091 192.168.10.2:43091 100.100.100.1:43091 100.100.100.1:43091
    icmp 192.168.1.1:43347 192.168.10.2:43347 100.100.100.1:43347 100.100.100.1:43347


    now send some ICMP packets from PC4 192.168.20.2 to PC8 192.168.40.2 


    PC4> show ip

    NAME        : PC4[1]
    IP/MASK     : 192.168.20.2/24
    GATEWAY     : 192.168.20.1
    DNS         :
    MAC         : 00:50:79:66:68:05
    LPORT       : 10058
    RHOST:PORT  : 127.0.0.1:10059
    MTU:        : 1500

    PC4> ping 192.168.40.2
    84 bytes from 192.168.40.2 icmp_seq=1 ttl=61 time=192.024 ms
    84 bytes from 192.168.40.2 icmp_seq=2 ttl=61 time=65.994 ms
    84 bytes from 192.168.40.2 icmp_seq=3 ttl=61 time=105.218 ms
    84 bytes from 192.168.40.2 icmp_seq=4 ttl=61 time=114.791 ms
    84 bytes from 192.168.40.2 icmp_seq=5 ttl=61 time=175.063 ms
     

    R1#show ip nat translations
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 192.168.1.1:5717  192.168.20.2:5717  192.168.40.2:5717  192.168.40.2:5717
    icmp 192.168.1.1:6229  192.168.20.2:6229  192.168.40.2:6229  192.168.40.2:6229
    icmp 192.168.1.1:6741  192.168.20.2:6741  192.168.40.2:6741  192.168.40.2:6741
    icmp 192.168.1.1:6997  192.168.20.2:6997  192.168.40.2:6997  192.168.40.2:6997
    icmp 192.168.1.1:7253  192.168.20.2:7253  192.168.40.2:7253  192.168.40.2:7253
    icmp 192.168.1.1:8277  192.168.20.2:8277  192.168.40.2:8277  192.168.40.2:8277
    icmp 192.168.1.1:8789  192.168.20.2:8789  192.168.40.2:8789  192.168.40.2:8789
    icmp 192.168.1.1:9045  192.168.20.2:9045  192.168.40.2:9045  192.168.40.2:9045
    icmp 192.168.1.1:9301  192.168.20.2:9301  192.168.40.2:9301  192.168.40.2:9301
    icmp 192.168.1.1:9557  192.168.20.2:9557  192.168.40.2:9557  192.168.40.2:9557


    (but these packets are not going through the IPsec tunnel which is configured, let's send some ICMP packets from the IPsec tunnel)

    R1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status

    IPv6 Crypto ISAKMP SA



    R1#ping 192.168.30.2 source fastEthernet 0/0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
    Packet sent with a source address of 192.168.10.1

    *Oct 19 01:51:19.006: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.10.1, src_addr= 192.168.30.2, prot= 1..                                                                                                                   ...
    Success rate is 0 percent (0/5)


    R1#ping 192.168.30.2 source fastEthernet 0/0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
    Packet sent with a source address of 192.168.10.1
    .....
    Success rate is 0 percent (0/5)




    here we are facing the issue because IPsec does not work with NAT, we have to exclude (bypass NAT) the traffic to be encrypted from the NAT operation. Nat must not occur for proper IPsec network communication but NAT should be for inside hosts in order to access the internet.   





    R1#show access-lists
    Extended IP access list NAT-TRAFFIC
        10 permit ip 192.168.10.0 0.0.0.255 any (17 matches)
        20 permit ip 192.168.20.0 0.0.0.255 any (16 matches)
    Extended IP access list interest-traffic
        10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (544 matches)

    (As you can see above ACL is checked. First NAT then interesting traffic)



    R1(config)#ip access-list extended NAT-TRAFFIC
    R1(config-ext-nacl)#5 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
    R1(config-ext-nacl)#6 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
    R1(config-ext-nacl)#exit

    R1#show access-lists
    Extended IP access list NAT-TRAFFIC
        5 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
        6 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
        10 permit ip 192.168.10.0 0.0.0.255 any (17 matches)
        20 permit ip 192.168.20.0 0.0.0.255 any (16 matches)
    Extended IP access list interest-traffic
        10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (544 matches)



    PC2> ping 192.168.30.2
    192.168.30.2 icmp_seq=1 timeout
    84 bytes from 192.168.30.2 icmp_seq=2 ttl=62 time=89.998 ms
    84 bytes from 192.168.30.2 icmp_seq=3 ttl=62 time=90.835 ms
    84 bytes from 192.168.30.2 icmp_seq=4 ttl=62 time=90.529 ms
    84 bytes from 192.168.30.2 icmp_seq=5 ttl=62 time=90.260 ms

    PC2> ping 192.168.40.2
    192.168.40.2 icmp_seq=1 timeout
    192.168.40.2 icmp_seq=2 timeout
    84 bytes from 192.168.40.2 icmp_seq=3 ttl=61 time=90.150 ms
    84 bytes from 192.168.40.2 icmp_seq=4 ttl=61 time=90.295 ms
    84 bytes from 192.168.40.2 icmp_seq=5 ttl=61 time=90.177 ms



    PC2> ping 100.100.100.1
    100.100.100.1 icmp_seq=1 timeout
    100.100.100.1 icmp_seq=2 timeout
    84 bytes from 100.100.100.1 icmp_seq=3 ttl=62 time=60.522 ms
    84 bytes from 100.100.100.1 icmp_seq=4 ttl=62 time=61.030 ms
    84 bytes from 100.100.100.1 icmp_seq=5 ttl=62 time=61.211 ms




    R1#show ip nat translations
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 192.168.1.1:9932  192.168.10.2:9932  100.100.100.1:9932 100.100.100.1:9932
    icmp 192.168.1.1:10444 192.168.10.2:10444 100.100.100.1:10444 100.100.100.1:10444
    icmp 192.168.1.1:10956 192.168.10.2:10956 100.100.100.1:10956 100.100.100.1:10956
    icmp 192.168.1.1:11212 192.168.10.2:11212 100.100.100.1:11212 100.100.100.1:11212
    icmp 192.168.1.1:11468 192.168.10.2:11468 100.100.100.1:11468 100.100.100.1:11468



    R1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    192.168.3.1     192.168.1.1     QM_IDLE           1005 ACTIVE

    R1#show crypto ipsec sa

    interface: Serial4/0
        Crypto map tag: map, local addr 192.168.1.1

       protected vrf: (none)
       local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
       current_peer 192.168.3.1 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
        #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 2, #recv errors 0

         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
         path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
         current outbound spi: 0x1F5AD8F4(526047476)
         PFS (Y/N): N, DH group: none

         inbound esp sas:
          spi: 0xD8EADE65(3639271013)
            transform: esp-256-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 19, flow_id: SW:19, sibling_flags 80000046, crypto map: map
            sa timing: remaining key lifetime (k/sec): (4395227/1552)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE

         inbound ah sas:

         inbound pcp sas:

         outbound esp sas:
          spi: 0x1F5AD8F4(526047476)
            transform: esp-256-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 20, flow_id: SW:20, sibling_flags 80000046, crypto map: map
            sa timing: remaining key lifetime (k/sec): (4395227/1552)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE

         outbound ah sas:

    Internetworks

    Author & Editor

    I am CCIE Technical Instructor/Network consultant. i am having experience of ranging from operating and maintaining PCs and peripherals to network control programs for multi-faceted data communication networks in LAN,MAN, and WAN environments.

    October 25, 2023

    0 comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    About me

    I am a CCIE Technical Instructor/Network, consultant. I am having experience of ranging from operating and maintaining PCs and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN, and WAN environments.

    Popular Posts

    subscribe

    Enter your email address:

    Delivered by FeedBurner

    Copyrights @ MPLS - Distributed By Copy Blogger Themes - Blogger Templates By Templateism

    • routingswitching619@gmail.com
    • @EdgarFr18856619