This lab example takes the NAT overload lab but changes the initiator to SW22. This means that NAT overload won't work and a static NAT entry is needed for this to work.
SW22#ping 10.1.15.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.0.0.3, prot=50, spi=0x318682ED(830898925), srcaddr=109.0.0.9, input interface=GigabitEthernet0/0
ip nat inside source static 10.1.15.15 103.0.0.3
R3(config)#do sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 103.0.0.3 10.1.15.15 --- ---
SW22#ping 10.1.15.15 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
R3(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:1703 10.1.14.14:1703 10.3.11.3:1703 10.3.11.3:1703
udp 103.0.0.3:500 10.1.15.15:500 102.0.0.2:500 102.0.0.2:500
udp 103.0.0.3:4500 10.1.15.15:4500 109.0.0.9:4500 109.0.0.9:4500
--- 103.0.0.3 10.1.15.15 --- ---
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 109.0.0.9 QM_IDLE 1212 ACTIVE
IPv6 Crypto ISAKMP SA
CSR9#show crypto ipsec sa
interface: GigabitEthernet3
Crypto map tag: CMAP, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
current_peer 103.0.0.3 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1026, #pkts encrypt: 1026, #pkts digest: 1026
#pkts decaps: 990, #pkts decrypt: 990, #pkts verify: 990
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0x318682ED(830898925)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x52669B18(1382456088)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2475, flow_id: CSR:475, sibling_flags FFFFFFFF80004048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607884/2248)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x318682ED(830898925)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2476, flow_id: CSR:476, sibling_flags FFFFFFFF80004048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607900/2248)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.15.15 109.0.0.9 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
IOSv15#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 10.1.15.15
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
current_peer 109.0.0.9 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 986, #pkts encrypt: 986, #pkts digest: 986
#pkts decaps: 986, #pkts decrypt: 986, #pkts verify: 986
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x52669B18(1382456088)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x318682ED(830898925)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4345418/2400)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52669B18(1382456088)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4345418/2400)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SW22#ping 10.1.15.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.0.0.3, prot=50, spi=0x318682ED(830898925), srcaddr=109.0.0.9, input interface=GigabitEthernet0/0
ip nat inside source static 10.1.15.15 103.0.0.3
R3(config)#do sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 103.0.0.3 10.1.15.15 --- ---
SW22#ping 10.1.15.15 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
R3(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:1703 10.1.14.14:1703 10.3.11.3:1703 10.3.11.3:1703
udp 103.0.0.3:500 10.1.15.15:500 102.0.0.2:500 102.0.0.2:500
udp 103.0.0.3:4500 10.1.15.15:4500 109.0.0.9:4500 109.0.0.9:4500
--- 103.0.0.3 10.1.15.15 --- ---
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 109.0.0.9 QM_IDLE 1212 ACTIVE
IPv6 Crypto ISAKMP SA
CSR9#show crypto ipsec sa
interface: GigabitEthernet3
Crypto map tag: CMAP, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
current_peer 103.0.0.3 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1026, #pkts encrypt: 1026, #pkts digest: 1026
#pkts decaps: 990, #pkts decrypt: 990, #pkts verify: 990
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0x318682ED(830898925)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x52669B18(1382456088)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2475, flow_id: CSR:475, sibling_flags FFFFFFFF80004048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607884/2248)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x318682ED(830898925)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2476, flow_id: CSR:476, sibling_flags FFFFFFFF80004048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607900/2248)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.15.15 109.0.0.9 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
IOSv15#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 10.1.15.15
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
current_peer 109.0.0.9 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 986, #pkts encrypt: 986, #pkts digest: 986
#pkts decaps: 986, #pkts decrypt: 986, #pkts verify: 986
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x52669B18(1382456088)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x318682ED(830898925)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4345418/2400)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52669B18(1382456088)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4345418/2400)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: