Re: ipsec issue

Hi Guys to make it simple
 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
----------------------------------- ipsec termination - 5.5.5.5

1.1.1.1 needs acess via ipsec tunnel to 5.5.5.5
1.1.1.1 needs to access internet also

These things are happening

with my config

BUT ISSUE IS SOMEONE FROM OUTSIDE NEEDS TO CONNECT TO 1.1.1.1 , BUT HE will
give the IP IN HIS PC FOR CONNECTION as 2.2.2.5<<<<<<<<

PLEASE SUGGEST ANY SOLUTION FOR SAME.<<<<<<<<<<<<<<<<<<<<<<<<<<<

and when for this I put static nat

ip nat inside source static 1.1.1.1 2.2.2.5
ISSUE - but when I recreate IPSEC tunnel by clearing it doesnt come up.

PLEASE SUGGEST ANY SOLUTION FOR SAME.

On Tue, Mar 16, 2010 at 5:22 PM, jack daniels <jckdaniels12_at_gmail.com>wrote:

> Hi guys,
>
>
> Please help me with a issue
>
> 1.1.1.1----- 1.1.1.2 ROUTER FA4 2.2.2.2-----2.2.2.1 ADSL ROUTER ---INTERNET
> ----------------------------------- ipsec termination - 5.5.5.5
>
>
> Requiremnets -
> 1) 1.1.1.1 access server 5.5.5.5 ( server ) after establishing ipsec
> 2) 1.1.1.1 access internet
> 3) 2.2.2.0/24 nating to a public ip given by ISP done on ADSL router
> 4) People from outside should access 2.2.2.5<<<<this ip should point to
> 1.1.1.1
>
>
> config ---
>
>
> ip cef
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key EX(epT!0n21Iye address 100.100.100.100
> !
> crypto ipsec security-association lifetime seconds 1800
> !
> crypto ipsec transform-set TEST esp-3des esp-sha-hmac
> !
> crypto map VPN 20 ipsec-isakmp
> set peer 100.100.100.100
> set security-association lifetime seconds 86400
> set transform-set TEST
> match address 101
> archive
> log config
> hidekeys
> !
> !
> !
> !
> interface FastEthernet0
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface FastEthernet4
> ip address 2.2.2.2 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map VPN
> !
> interface Vlan1
> ip address 1.1.1.2 255.255.255.240
> ip nat inside
> ip virtual-reassembly
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 2.2.2.1
> !
> no ip http server
> no ip http secure-server
> ip nat inside source route-map nonat interface FastEthernet4 overload
> ip nat inside source static 1.1.1.1 2.2.2.5
> !
> access-list 101 permit ip 1.1.1.0 0.0.0.255 host 5.5.5.5
> access-list 102 deny ip 1.1.1.0 0.0.0.255 host 5.5.5.5
> access-list 102 permit ip 1.1.1.0 0.0.0.255 any
> !
> !
> route-map nonat permit 10
> match ip address 102
> !

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 16 2010 - 18:11:26 ART