Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​​​Site to Site VPN - IOS Routers with Crypto Map with Static NAT

Picture
This lab example takes the NAT overload lab but changes the initiator to SW22. This means that NAT overload won't work and a static NAT entry is needed for this to work.


SW22#ping 10.1.15.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


R3
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.0.0.3, prot=50, spi=0x318682ED(830898925), srcaddr=109.0.0.9, input interface=GigabitEthernet0/0


ip nat inside source static 10.1.15.15 103.0.0.3


R3(config)#do sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- 103.0.0.3          10.1.15.15         ---                ---


SW22#ping 10.1.15.15 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.15.15, timeout is 2 seconds:
..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!


R3(config)#do sh ip nat trans 
Pro Inside global      Inside local       Outside local      Outside global
icmp 103.0.0.3:1703    10.1.14.14:1703    10.3.11.3:1703     10.3.11.3:1703
udp 103.0.0.3:500      10.1.15.15:500     102.0.0.2:500      102.0.0.2:500
udp 103.0.0.3:4500     10.1.15.15:4500    109.0.0.9:4500     109.0.0.9:4500
--- 103.0.0.3          10.1.15.15         ---                ---



CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
103.0.0.3       109.0.0.9       QM_IDLE           1212 ACTIVE

IPv6 Crypto ISAKMP SA



CSR9#show crypto ipsec sa 

interface: GigabitEthernet3
    Crypto map tag: CMAP, local addr 109.0.0.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
   current_peer 103.0.0.3 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1026, #pkts encrypt: 1026, #pkts digest: 1026
    #pkts decaps: 990, #pkts decrypt: 990, #pkts verify: 990
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
     plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
     current outbound spi: 0x318682ED(830898925)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x52669B18(1382456088)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2475, flow_id: CSR:475, sibling_flags FFFFFFFF80004048, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4607884/2248)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x318682ED(830898925)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2476, flow_id: CSR:476, sibling_flags FFFFFFFF80004048, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4607900/2248)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:



IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.15.15      109.0.0.9       QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA



​
IOSv15#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 10.1.15.15

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
   current_peer 109.0.0.9 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 986, #pkts encrypt: 986, #pkts digest: 986
    #pkts decaps: 986, #pkts decrypt: 986, #pkts verify: 986
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
     plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x52669B18(1382456088)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x318682ED(830898925)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4345418/2400)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52669B18(1382456088)
        transform: esp-3des ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4345418/2400)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto