Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​​Site to Site VPN - IOS Routers with Crypto Map behind NAT Overload

Picture
This lab example is a VPN endpoint behind a NAT enabled device. IOS15 sits behind R3 which is NAT enabled. To be clear, IOS15 is initiating the traffic to SW22, so the NAT overload kicks in with NAT-T UDP transparency to allow the connection.



IOS15
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco123 address 0.0.0.0        
!
crypto ipsec transform-set IKEV1_TSET esp-3des 
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 109.0.0.9
 set transform-set IKEV1_TSET 
 match address VPN_TO_IOS15
 crypto map CMAP
!
ip access-list extended VPN_TO_SW22
 permit ip 10.1.15.0 0.0.0.255 10.19.22.0 0.0.0.255
!
interface g0/0
crypto map CMAP




CSR9
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco123 address 0.0.0.0        
!
crypto ipsec transform-set IKEV1_TSET esp-3des 
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 103.0.0.3
 set transform-set IKEV1_TSET 
 match address VPN_TO_IOS15
 crypto map CMAP
!
ip access-list extended VPN_TO_IOS15
 permit ip 10.19.22.0 0.0.0.255 10.1.15.0 0.0.0.255
!
interface g3
crypto map CMAP





IOSv15#ping 10.19.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 39/49/69 ms



IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
109.0.0.9       10.1.15.15      QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA



IOSv15#show crypto ipsec sa 

interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 10.1.15.15

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
   current_peer 109.0.0.9 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
     plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x9F2A18D2(2670336210)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA0D0CEB7(2698038967)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4272489/3413)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9F2A18D2(2670336210)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4272489/3413)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



R3#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 103.0.0.3:1649    10.1.14.14:1649    10.3.11.3:1649     10.3.11.3:1649
udp 103.0.0.3:500      10.1.15.15:500     109.0.0.9:500      109.0.0.9:500
udp 103.0.0.3:4500     10.1.15.15:4500    109.0.0.9:4500     109.0.0.9:4500



CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
109.0.0.9       103.0.0.3       QM_IDLE           1210 ACTIVE

IPv6 Crypto ISAKMP SA


​

CSR9#show cryp ipsec sa

interface: GigabitEthernet3
    Crypto map tag: CMAP, local addr 109.0.0.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
   current_peer 103.0.0.3 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
     plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
     current outbound spi: 0xA0D0CEB7(2698038967)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9F2A18D2(2670336210)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2473, flow_id: CSR:473, sibling_flags FFFFFFFF80000048, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4607999/2829)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA0D0CEB7(2698038967)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2474, flow_id: CSR:474, sibling_flags FFFFFFFF80000048, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4607999/2829)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto