4.3 Should we use NAT exempt instead of Static nat

 

For this task, I propose another way to solve.


nat (inside) 0 access-list no-nat
nat (inside) 2 access-list icmp
nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface
global (outside) 2 132.1.69.222 netmask 255.255.255.255

access-list no-nat extended permit esp host 150.1.1.1 host 150.1.6.6
access-list no-nat extended permit udp host 150.1.1.1 host 150.1.6.6 eq isakmp

 

because other packet (except icmp / ipsec between r1 &r6) still need to unencrypt as 2.1 requirement

 

--------------

 

Rack1R1#telnet 150.1.6.6
Trying 150.1.6.6 ... Open


User Access Verification

Password:
Rack1R6>en
Password:
Rack1R6#s

    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:54  
*130 vty 0                idle                 00:00:00 132.1.69.9

----------------------------------------------------------------------------

Rack1R6#
*Mar  4 00:20:48.214: ICMP: echo reply sent, src 150.1.6.6, dst 150.1.1.1
*Mar  4 00:20:48.410: ICMP: echo reply sent, src 150.1.6.6, dst 150.1.1.1
*Mar  4 00:20:48.506: ICMP: echo reply sent, src 150.1.6.6, dst 150.1.1.1
*Mar  4 00:20:48.614: ICMP: echo reply sent, src 150.1.6.6, dst 150.1.1.1
*Mar  4 00:20:48.710: ICMP: echo reply sent, src 150.1.6.6, dst 150.1.1.1

 

----------------------------------------------------------------------------

Rack1R1#sh crypto isa sa
dst             src             state          conn-id slot
150.1.1.1       150.1.6.6       QM_IDLE              1    0

Rack1R1#sh crypto ipse sa

interface: Serial1/0.1234
    Crypto map tag: vpn, local addr. 150.1.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (150.1.1.1/255.255.255.255/1/0)
   remote ident (addr/mask/prot/port): (150.1.6.6/255.255.255.255/1/0)
   current_peer: 150.1.6.6:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify 8'

 

ip access-list extended vpn
 permit icmp host 150.1.1.1 host 150.1.6.6

 

-------------------------------------------------------------------------------

Comments

  • I used a static NAT

    static (inside,outside) 132.1.69.1 150.1.1.1 netmask 255.255.255.255

     

    The NAT forced me to permit udp 4500 (NAT-T)


    access-list fw-in line 7 extended permit esp host 150.1.6.6 host 132.1.69.1 (hitcnt=10) 0x04bea6ee
    access-list fw-in line 8 extended permit udp host 150.1.6.6 host 132.1.69.1 eq isakmp (hitcnt=1) 0x01b2eaf2
    access-list fw-in line 9 extended permit udp host 150.1.6.6 host 132.1.69.1 eq 4500 (hitcnt=2) 0xcfd7318e

     

Sign In or Register to comment.