Академический Документы
Профессиональный Документы
Культура Документы
2402
2402Number
1187_05_2000_c2
2000,
Cisco
Systems,
Inc. Inc.
1187_05_2000_c2 1999,
2000,
Cisco
Systems,
1 1
Advanced IPSec
Deployment Scenarios
Session 2402
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Advanced IPSec
Deployment Scenarios
Overview of IPSec
HSRP Overview
Using IPSec with Hot Standby
Routing Protocol (HSRP)
NAT Overview
Using IPSec with Network/Port
Address Translation (NAT/PAT)
2402
1187_05_2000_c2
IPSec Overview
Initiating the IPSec session
Phase oneexchanging keys
Phase twosetting up security
associations
Encrypting/decrypting packets
Rebuilding security associations
Timing out security associations
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Encrypting and
Decrypting Packets
Phase one and phase two completes
Security Associations (SA) are
created at both IPSec endpoints
Using the negotiated SADB
information
Outbound packets are encrypted
Inbound packets are decrypted
2402
1187_05_2000_c2
Rebuilding
Security Associations
To ensure that keys are not compromised
they are periodically refreshed
Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical
parameters
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
10.1.2.0/24
200.1.1.2
192.1.1.1
Internet
IPSec Tunnel
2402
1187_05_2000_c2
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
10
HSRP Overview
Two routers setup to use single
virtual IP address
Provides redundancy for the default
gateway used by hosts
Routers do not use the HSRP
virtual IP address for
routing/forwarding packets
Return packets can take any path back
2402
1187_05_2000_c2
11
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
12
.2
Rh1
Rh2
ARP:
10.1.1.3
0000.0c12.0003
10.1.1.1
0000.0c07.ac01
HSRP: Priority = 95
Active - 10.1.1.1
Standby
.3
10.1.1.0/24
Route:
R 0.0.0.0/0
10.1.1.2
10.1.1.3
R 10.1.2.0/24
10.1.1.3
ARP:
10.1.1.4
0000.0c12.0004
10.1.1.2
0000.0c12.0002
10.1.1.3
0000.0c12.0003
2402
1187_05_2000_c2
.10
.4
R4
H1
Route:
0.0.0.0/0
ARP:
10.1.1.1
10.1.1.1
0000.0c07.ac01
13
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
14
HSRP Virtual
172.17.63.94
Rh1
172.17.63.98
Internet
.1
172.18.24.199
R3
.66
(.94)
192.168.24.0/24
172.17.63.101
.67
.65 Rh2
.69
H1
2402
1187_05_2000_c2
172.17.63.64/27
15
Scenario 1:
Simple Dual Peer
Before HSRP failover
Remote peer (R3) initiates IPSec connection with first
configured HSRP router (Rh1)
IPSec connection is validated
Packets are encrypted between hosts
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
16
Scenario 1: Configuration
Simple Dual Peer
Remote Peer R3
Two crypto map
entries using the
same access-list
but different peers.
2402
1187_05_2000_c2
Scenario 1: Configuration
Simple Dual Peer
HSRP Router Rh1
Single crypto map
entry using a single
peer and access-list.
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
18
Scenario 1: Configuration
Simple Dual Peer
HSRP Router Rh2
Single crypto map
entry using a single
peer and access-list.
2402
1187_05_2000_c2
19
Scenario 1:
Before HSRP Failover
HSRP Virtual
172.17.63.94
.67
(.94)
.66
Rh1
.98
Internet
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
192.168.24.0/24
Rh2
Remote Peer R3
IPSEC(sa_request):,
(key eng. msg.) src=172.18.24.199, dest=172.17.63.98,
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.98, sa_prot=50, sa_conn_id=12
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=13
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=55
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.98, sa_prot=50, sa_conn_id=56
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
20
10
Scenario 1:
HSRP Failover
HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
172.17.63.64/27
R3
.199
.69
.65
(.94)
.1
.21
.101
192.168.24.0/24
Rh2
Ethernet3 - Group 0
Local state is Active, priority 105, may preempt
Hot standby IP address is 172.17.63.94 configured
Active router is local
Standby router is 172.17.63.65 expires in 00:00:08
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Active
Init
Ethernet3 - Group 0
Local state is Standby, priority 100, may preempt
Hot standby IP address is 172.17.63.94 configured
Active router is 172.17.63.66 expires in 00:00:09
Standby router is local
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Standby
Active
2402
1187_05_2000_c2
21
Scenario 1:
After HSRP Failover
HSRP Virtual
172.17.63.94
.67
Rh1
.66
.98
Internet
(.94)
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
192.168.24.0/24
Rh2
Remote Peer R3
IPSEC(sa_request):,
(key eng. msg.) src=172.17.63.101, dest=172.18.24.199,
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
IPSEC(validate_transform_proposal):
peer address 172.17.63.101 not found
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
22
11
Scenario 1: Analysis
Simple Dual Peer
Problemonly one IPSec connection can be
created by remote peer (R3)
Match address statements are the same in both
crypto map entries
IPSec will always match the first map entry found
Second HSRP router is not in the first entry
23
Scenario 2:
Backup Peer
Before HSRP failover
Both HSRP routers can initiate separate IPSec tunnels
with the remote peer (R3)
Packets are encrypted over either IPSec tunnel
R3 sends back over last used IPSec tunnel
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
24
12
Scenario 2: Configuration
Backup Peer
Remote Peer R3Old
crypto map vpnmap 10 ipsec-isakmp
set peer 172.17.63.98
set transform-set trans1
match address 100
crypto map vpnmap 20 ipsec-isakmp
set peer 172.17.63.101
set transform-set trans1
match address 100
2402
1187_05_2000_c2
25
Scenario 2:
Before HSRP Failover
HSRP Virtual
172.17.63.94
.67
H1
(.94)
.66
Rh1
.98
Internet
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
H2
192.168.24.0/24
Rh2
Remote Peer R3
IPSEC(sa_request):,
(key eng. msg.) src=172.18.24.199, dest=172.17.63.98,
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.98, sa_prot=50, sa_conn_id=18
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=19
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=63
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.98, sa_prot=50, sa_conn_id=64
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
26
13
Scenario 2:
Before HSRP Failover
HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
Remote Peer R3
IPSEC(sa_request): ,
(key eng. msg.) src=172.17.63.101, dest=172.18.24.199,
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.101, sa_prot=50,sa_conn_id=93
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=94
IPSEC(create_sa): sa created,
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=66
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.101, sa_prot=50,sa_conn_id=67
2402
1187_05_2000_c2
27
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
172.17.63.64/27
.1
.21
.101
.65
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
13
3
4
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
12
3
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
3
172.17.63.98 set HMAC_MD5+DES_56_CB
12
172.17.63.98 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
13
34
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
28
14
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
.65
(.94)
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
13
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB 12
22
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
12
22
172.17.63.98 set HMAC_MD5+DES_56_CB
13
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
29
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
(.94)
.1
.101
.65
.21
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
13
HMAC_MD5+DES_56_CB
22
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
15
4
5
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
16
5
6
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
22
172.17.63.98 set HMAC_MD5+DES_56_CB
13
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
16
5
6
172.17.63.101 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
15
4
5
0
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
30
15
Scenario 2: Analysis
Backup Peer
Problemcan lose connectivity
Both IPSec connections are available
Remote peer sends packets back on last IPSec tunnel
to receive packets
If packets are sent to IPSec peer that cannot do final
delivery then connectivity is lost
Connectivity is only restored when a packet is received
from IPSec peer that can do final delivery
31
Scenario 3:
Interconnect Link
Before HSRP failover
HSRP routers initiate separate IPSec tunnels with remote peer
Packets can be encrypted over either IPSec tunnel
Remote peer sends back over last used IPSec tunnel
Interconnect link is not used
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
32
16
Scenario 3: Configuration
Interconnect Link
HSRP Router Rh1
interface Ethernet2
ip address 172.17.63.34 255.255.255.224
no shutdown
!
ip route 172.17.63.64 255.255.255.224 172.17.63.33
Interconnect Link
Static Route
interface Ethernet2
ip address 172.17.63.33 255.255.255.224
no shutdown
!
ip route 172.17.63.64 255.255.255.224 172.17.63.34
2402
1187_05_2000_c2
33
Scenario 3: Topology
HSRP Virtual
172.17.63.94
(.94)
.66
.67
H1
Rh1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
R3
.199
.101
.1
.21
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
4
172.17.63.98 set HMAC_MD5+DES_56_CB
4
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
34
17
(.94)
.66
.67
H1
Rh1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
R3
.199
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
4
5
9
HMAC_MD5+DES_56_CB
4
8
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
4
8
172.17.63.98 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
49
5
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
35
Scenario 3:
HSRP Failover
HSRP Router Rh1
Rh1#show ip route
C
172.17.63.32/27 is directly connected, Ethernet2
C
172.17.63.64/27 is directly connected, Ethernet3
C
172.17.63.96/30 is directly connected, Serial0
%LINK-5-CHANGED: Interface Ethernet3, changed state to administratively down
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Active
Init
Rh1#show ip route
C
172.17.63.32/27 is directly connected, Ethernet2
S
172.17.63.64/27 [1/0] via 172.17.63.33
C
172.17.63.96/30 is directly connected, Serial0
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
36
18
Rh1
.67
.66
H1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
(.94)
R3
.199
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
9
HMAC_MD5+DES_56_CB
8
9
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
14
4
5
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
14
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
9
172.17.63.98 set HMAC_MD5+DES_56_CB
8
9
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
14
5
172.17.63.101 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
14
4
5
0
37
Rh1: IP: s=172.18.24.199 (Serial0), d=172.17.63.98 (Serial0), len 136, rcvd 3, proto=50
IP: s=192.168.24.21 (Serial0), d=172.17.63.69 (Ethernet2), g=172.17.63.33, len 84, forward
ICMP type=8, code=0
Rh2: IP: s=192.168.24.21 (Ethernet2), d=172.17.63.69 (Ethernet3), g=172.17.63.69, len 84, forward
ICMP type=8, code=0
IP: s=172.17.63.69 (Ethernet3), d=192.168.24.21 (Serial0), g=172.17.63.102, len 84, forward
ICMP type=0, code=0
(Cant see IPSec tunnel packet going out)
R3:
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
38
19
Rh2:
R3:
2402
1187_05_2000_c2
39
Scenario 3: Analysis
Interconnect Link
Success
Interconnect link protects from connectivity loss
But
Scenario 2 and 3 can take time to switch over if current
HSRP active router goes down
Very little control over link used by remote peer
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
40
20
41
Scenario 4:
GRE Tunnels
Separate GRE tunnels are built
Use transport mode IPSec to encrypt GRE tunnel
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
42
21
2402
1187_05_2000_c2
43
Shutdown cross-link
from Scenario 3
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
44
22
Shutdown cross-link
from Scenario 3
2402
1187_05_2000_c2
45
router rip
version 2
network 172.17.0.0
passive-interface serial0
distribute-list 2 out
!
access-list 2 permit 172.17.63.64
Router R3
router rip
version 2
network 172.17.0.0
network 192.168.24.0
distribute-list 2 out
!
access-list 2 permit 192.168.24.0
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
46
23
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
0
1
HMAC_MD5+DES_56_CB
0
0
HMAC_MD5+DES_56_CB
0
0
1
HMAC_MD5+DES_56_CB
0
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
0
172.17.63.98 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
01
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
0
172.17.63.101 set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
0
1
0
47
Load Balance
Packets over
Both Tunnels
2402
1187_05_2000_c2
Rh1:
Rh2:
R3:
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
48
24
(.94)
.66
.67
H1
Rh1
.98
Internet
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
11
1
2
3
HMAC_MD5+DES_56_CB
0
1
5
0
HMAC_MD5+DES_56_CB
0
1
HMAC_MD5+DES_56_CB
0
1
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
0
1
5
172.17.63.98 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
11
13
2
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
0
1
5
172.17.63.101 set HMAC_MD5+DES_56_CB
1
0
49
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
50
25
Scenario 4:
HSRP Failover
HSRP Router Rh1
%LINK-5-CHANGED: Interface Ethernet3, changed state to administratively down
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Active
Init
Routing Table on R3
C
R
C
C
C
S*
2402
1187_05_2000_c2
51
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
(.94)
.1
.21
.101
.65
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
12
HMAC_MD5+DES_56_CB
6
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
12
2
3
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
16
6
7
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.98 set HMAC_MD5+DES_56_CB
0
6
172.17.63.98 set HMAC_MD5+DES_56_CB
12
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
16
6
7
172.17.63.101 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
12
2
3
0
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
52
26
2402
1187_05_2000_c2
53
Scenario 4: Analysis
GRE Tunnels
IPSEC encrypted GRE tunnels
Can run a routing protocol between local
and remote ends of VPN tunnel
Path selection converges as fast as the
routing protocol
Full control of usage of tunnel and
HSRP routers
IPSec transport mode reduces packet size
as compared with IPSEC tunnel mode
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
54
27
55
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
56
28
NAT/PAT Overview
Network address translation
Port address translation
Translating local addresses
to global addresses
Dynamic translations
Static translations
57
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
58
29
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
10.1.1.2
198.33.219.25
Before NAT
Outbound Packet
NAT
NAT Address
Address Table
Table
170.10.1.251
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
170.10.1.251 198.33.219.25
After NAT
Outbound Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
- - 170.10.1.251
- - - - - - - - - - -
59
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
198.33.219.25
10.1.1.2
After NAT
Return Packet
NAT
NAT Address
Address Table
Table
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
198.33.219.25 170.10.1.251
Before NAT
Return Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
170.10.1.251
- - - - - - - - -
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
60
30
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
198.33.219.25 170.10.1.251
After NAT
Return Packet
NAT
NAT Address
Address Table
Table
170.10.1.251
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
198.33.219.25 170.10.1.251
Before NAT
Return Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
- - 170.10.1.251
- - - - - - - - - - -
61
Inbound traffic
IPSec happens before NAT/PAT
Outbound
Intranet
Inbound Interface
NAT
IPSec
Outbound Interface
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Inbound
Internet
62
31
Scenario 2: NAT
Need communication over secure VPN
tunnel and access to the Internet
63
Scenario 1: No NAT
Description
VPN clients using private addresses
only need to talk to other private
addresses over a secure tunnel.
Packets are sent over IPSec tunnel
Packets traversing IPSec tunnel do
not need NAT
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
64
32
Scenario 1: No NAT
PrivatePrivate with IPSec
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.1.2
10.1.2.2
10.1.1.2
10.1.2.2
Inbound Interface
Outbound Interface
Echo Request
NAT
Echo Request
NAT
Not used
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outbound Interface
192.1.1.1
2402
1187_05_2000_c2
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
10.1.1.2
10.1.1.2
10.1.2.2
Echo Request
10.1.2.2
Echo Request
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Inbound Interface
200.1.1.2
65
Scenario 1: No NAT
PrivatePrivate with IPSec
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.2.2
10.1.1.2
10.1.2.2
10.1.1.2
Outbound Interface
NAT
Inbound Interface
Echo Reply
Echo Reply
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Inbound Interface
192.1.1.1
2402
1187_05_2000_c2
NAT
Not used
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
10.1.2.2
10.1.2.2
10.1.1.2
Echo Reply
10.1.1.2
Echo Reply
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outbound Interface
200.1.1.2
66
33
Scenario 1: No NAT
Configurations
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
.3
192.1.1.1
Internet
200.1.1.1
.1
.3
IPSec Tunnel
2402
1187_05_2000_c2
67
Scenario 1: No NAT
Debugs
IPSec Starting
Create Security
Association
Packets Encrypted
and Decrypted
IPSEC(sa_request): ,
(key eng. msg.) src=192.1.1.1, dest=200.1.1.2,
src_proxy=10.1.1.0/255.255.255.0/0/0 (type=4),
dest_proxy=10.1.2.0/255.255.255.0/0/0 (type=4),
protocol=ESP, transform=esp-des esp-md5-hmac ,
lifedur=3600s and 4608000kb,
spi=0x0(0), conn_id=0, keysize=0, flags=0x4004
IPSEC(create_sa): sa created,
(sa) sa_dest=192.1.1.1, sa_prot=50,
sa_spi=0xB49231D(189342493),
sa_trans=esp-des esp-md5-hmac , sa_conn_id=20
IPSEC(create_sa): sa created,
(sa) sa_dest=200.1.1.2, sa_prot=50,
sa_spi=0x1290F4F(19468111),
sa_trans=esp-des esp-md5-hmac , sa_conn_id=21
#show crypto engine connection active
ID Interface
20 Ethernet1
21 Ethernet1
2402
1187_05_2000_c2
IP-Address St Algorithm
192.1.1.1
set MD5+DES_56
192.1.1.1
set MD5+DES_56
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Encrypt Decrypt
0
5
5
0
68
34
Scenario 2: NAT
Description
VPN clients using private addresses need to talk
to other private addresses over a secure tunnel
Private address packets are sent over IPSec tunnel
Packets traversing IPSec tunnel do not need NAT
69
Scenario 2: NAT
Configuration
Translate IP Source
10.1.1.0 - 10.1.1.255 to
192.1.1.20 - 192.1.1.24
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
70
35
Scenario 2: NAT
Access to the Internet
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
Inside Interface
NAT
10.1.1.2
192.10.1.1
Echo Request
IPSec
192.1.1.20 192.10.1.1
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
192.10.1.1
10.1.1.2
Echo Reply
192.10.1.1 192.1.1.20
Echo Reply
I
N
B
O
U
N
D
P
A
C
K
E
T
S
71
Scenario 2: NAT
Access to the Internet
Packet Trace on NAT Router
NAT: s=10.1.1.2->192.1.1.20, d=192.10.1.1 [10205]
IP: s=192.1.1.20 (Ethernet1), d=192.10.1.1 (Ethernet0), g=192.1.1.2, forward
ICMP type=8, code=0
NAT: s=192.10.1.1, d=192.1.1.20->10.1.1.2 [18087]
IP: s=192.10.1.1 (Ethernet0), d=10.1.1.2 (Ethernet1), g=10.1.1.2, forward
ICMP type=0, code=0
2402
1187_05_2000_c2
Outside local
---
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Outside global
---
72
36
Scenario 2: NAT
Access to VPN Client
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
.3
200.1.1.1
Internet
.1
.3
IPSec Tunnel
10.1.1.3
Inside Interface
NAT
10.1.2.2
Echo Request
IPSec
192.1.1.21
10.1.2.2
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
73
Scenario 2: NAT
Packet DebugsFailure
Debug Output
NAT
Translation
Table
IPSec Tunnels
are not built
Outside global
-----
2402
1187_05_2000_c2
Outside local
-----
IP-Address St Algorithm
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Encrypt Decrypt
74
37
Scenario 2: NAT
The Solution
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
Internet
.3
200.1.1.1
.1
.3
IPSec Tunnel
We need to add NAT rules that say if the source and the destination address match the IPSec proxy
dont do NAT
else
do NAT
ip nat pool p-name 192.1.1.20 192.1.1.24 netmask 255.255.255.0
ip nat inside source route-map nonat pool p-name
access-list 110 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match address 110
2402
1187_05_2000_c2
75
Scenario 2: NAT
Fixed Configuration
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.2
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set vpntrans
match address 100
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map vpnmap
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip nat pool p-name 192.1.1.20 192.1.1.24 netmask 255.255.255.0
ip nat inside source route-map nonat pool p-name
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
76
38
Scenario 2: NAT
Packet Flow
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.1.2
10.1.2.2
10.1.1.2
10.1.2.2
Inside Interface
Inside Interface
Echo Request
Echo Request
NAT
NAT
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
192.1.1.1
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
10.1.1.2
10.1.1.2
10.1.2.2
Echo Request
10.1.2.2
Echo Request
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outside Interface
200.1.1.2
77
Scenario 2: NAT
Return Packet Flow
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.2.2
10.1.1.2
10.1.2.2
10.1.1.2
Inside Interface
Inside Interface
Echo Reply
Echo Reply
NAT
NAT
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
192.1.1.1
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
10.1.2.2
10.1.2.2
10.1.1.2
Echo Reply
10.1.1.2
Echo Reply
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outside Interface
200.1.1.2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
78
39
Scenario 2: NAT
Packet TraceSuccess
IP: s=10.1.1.2 (Ethernet1), d=10.1.2.2 (Ethernet0), g=192.1.1.2, len 84, forward
ICMP type=8, code=0
(Cant see IPSec packet going out)
IP: s=200.1.1.2 (Ethernet0), d=192.1.1.1 (Ethernet0), len 136, rcvd 3, proto=50
IP: s=10.1.2.2 (Ethernet0), d=10.1.1.2 (Ethernet1), g=10.1.1.2, len 84, forward
ICMP type=0, code=0
IP: s=10.1.1.2 (Ethernet1), d=10.1.2.2 (Ethernet0), g=192.1.1.2, len 84, forward
ICMP type=8, code=0
(Cant see IPSec packet going out)
IP: s=200.1.1.2 (Ethernet0), d=192.1.1.1 (Ethernet0), len 136, rcvd 3, proto=50
IP: s=10.1.2.2 (Ethernet0), d=10.1.1.2 (Ethernet1), g=10.1.1.2, len 84, forward
ICMP type=0, code=0
#show crypto engine connection active
ID Interface
6 Ethernet0
7 Ethernet0
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
set HMAC_MD5+DES_56_CB
0
2
set HMAC_MD5+DES_56_CB
2
0
79
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
80
40
2402
1187_05_2000_c2
81
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
.10
192.1.1.1
200.1.1.1
Internet
.1
.3
IPSec Tunnel
Inside Interface
10.1.1.10 192.10.1.1
NAT
Echo Request
IPSec
192.1.1.10 192.10.1.1
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Echo Request
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
192.10.1.1 10.1.1.10
Echo Reply
192.10.1.1 192.1.1.10
Echo Reply
I
N
B
O
U
N
D
P
A
C
K
E
T
S
82
41
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
Inside Interface
10.1.1.10 192.10.1.1
NAT
Echo Reply
IPSec
192.1.1.10 192.10.1.1
Outside Interface
Echo Reply
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
192.10.1.1 10.1.1.10
Echo Request
192.10.1.1 192.1.1.10
Echo Request
I
N
B
O
U
N
D
P
A
C
K
E
T
S
83
2402
1187_05_2000_c2
Outside local
---
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Outside global
---
84
42
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
Inside Interface
NAT
10.1.1.10
O
U
T
B
O
U
N
D
10.1.2.2
Echo Request
IPSec
192.1.1.10
P
A
C
K
E
T
S
10.1.2.2
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
85
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Inside Interface
Inbound Interface
NAT
NAT
IPSec
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
IPSec
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Outbound Interface
200.1.1.2
86
43
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
.10
200.1.1.1
Internet
.1
.3
IPSec Tunnel
After NAT, the return packet will have a source of the static 192.1.1.10
and a destination of 10.1.2.2, once again not matching the IPSec proxy,
so the return traffic will not go back into the IPSec tunnel.
10.1.1.10
Inside Interface
NAT
10.1.2.2
Echo Reply
IPSec
192.1.1.10
10.1.2.2
Outside Interface
Echo Reply
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
87
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
set HMAC_MD5+DES_56_CB
0
2
set HMAC_MD5+DES_56_CB
0
0
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
88
44
Scenario 3:
NAT with Server Solution
We still need the NAT configuration
statements described in previous slides
to allow internet access
Because of the static NAT entry we now
need more complex rules
If the IP source matches the static and
the IP destination matches the IPSec proxy
Then use a policy route-map to route packet
via a loopback interface to bypass NAT
2402
1187_05_2000_c2
89
2402
1187_05_2000_c2
interface Loopback1
ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map test
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map rmap
!
ip nat pool p-name 192.1.1.20 192.1.1.23 prefix-length 24
ip nat inside source route-map nonat pool p-name
ip nat inside source static 10.1.1.10 192.1.1.10
ip route 0.0.0.0 0.0.0.0 192.1.1.2
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 permit ip host 10.1.1.10 10.1.2.0 0.0.0.255
route-map nonat permit 10
match ip address 110
route-map rmap permit 10
match ip address 120
set ip next-hop 10.0.0.2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
90
45
Scenario 3: Fixed
VPN Client to Server
192.10.1.1
10.1.1.0/24
10.1.2.0/24
10.0.0.0/30
.2
.2
.1
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Inside Interface
Inbound Interface
NAT
NAT
IPSec
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
IPSec
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Outbound Interface
200.1.1.2
91
Scenario 3: Fixed
VPN Client to Server (Cont.)
192.10.1.1
10.1.1.0/24
10.1.2.0/24
10.0.0.0/30
.2
.2
.1
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
Policy routing will route the return packet through the loopback, the packet will then
come back to the router on the loopback and be normally routed out ethernet0
NAT will not be invoked since the loopback is not marked as a NAT interface.
10.1.1.10 10.1.2.2
10.1.1.10 10.1.2.2
Echo Reply
Echo Reply
Inside Interface
Outbound Interface
NAT
NAT
IPSec
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
IPSec
10.1.1.10 10.1.2.2
10.1.1.10 10.1.2.2
Echo Reply
Echo Reply
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Inbound Interface
200.1.1.2
92
46
Scenario 3: Fixed
VPN Client to Server
IP: s=200.1.1.2 (Ethernet0), d=192.1.1.1 (Ethernet0), len 136, rcvd 3, proto=50
IP: s=10.1.2.2 (Ethernet0), d=10.1.1.10 (Ethernet1), g=10.1.1.10, len 84, forward
ICMP type=8, code=0
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2, len 84, policy match
ICMP type=0, code=0
IP: route map nonat, item 10, permit
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2 (Loopback1), len 84, policy routed
ICMP type=0, code=0
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2 (Loopback1), g=10.0.0.2, len 84, forward
ICMP type=0, code=0
IP: s=10.1.1.10 (Loopback1), d=10.1.2.2 (Ethernet0), g=192.1.1.2, len 84, forward
ICMP type=0, code=0
(Cant see IPSec packet going out)
#show crypto engine connection active
ID Interface
12 Ethernet0
13 Ethernet0
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
set HMAC_MD5+DES_56_CB
0
1
set HMAC_MD5+DES_56_CB
1
0
93
Scenario 2: NAT
Configure NAT to not encrypt traffic that matches the
IPSec proxy
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
94
47
Advanced IPSec
Deployment Scenarios
Session 2402
2402
1187_05_2000_c2
95
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
96
48
2402
1187_05_2000_c2
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
97
49