Perhaps there is some confusion. NAT Traversal is required if there is any NAT in between the endpoints of the IPsec connection. It has nothing to do with NAT of devices behind a router that has IPsec configured. Or maybe I'm mis-interpreting. If so, correct me!
Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -----Original Message----- From: bk [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 7:26 PM To: [EMAIL PROTECTED] Subject: Re: IPSEC with STATIC NAT [7:74971] I just ran into this. I have a 2610 that is terminating a tunnel between itself and a pix... but I also have three email servers behind this router that need to be statically nat'd. Here is the config that this guy from cisco (wicked smart) helped me figure out: hostname Phoenix_Colo crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key *** address 12.x.x.132 ! crypto ipsec transform-set ch2stl esp-3des esp-md5-hmac ! crypto map nolan 10 ipsec-isakmp set peer 12.x.x.132 set transform-set ch2stl match address vpn_tunnel interface Loopback0 ip address 1.1.1.1 255.255.255.252 ! interface Ethernet0/0 ip address 209.x.x.6 255.255.255.252 ip nat outside half-duplex crypto map nolan ! interface Ethernet1/0 ip address 172.16.254.254 255.255.255.0 ip nat inside ip policy route-map static_servers_bypass_NAT ! ip nat inside source static 172.16.254.34 209.145.140.180 ip nat inside source static 172.16.254.35 209.145.140.181 ip nat inside source static 172.16.254.38 209.145.140.182 ! ip access-list extended vpn_tunnel permit ip 172.16.254.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 120 permit ip 172.16.254.0 0.0.0.255 192.168.0.0 0.0.255.255 ! route-map static_servers_bypass_NAT permit 10 match ip address 120 set ip next-hop 1.1.1.2 ! Phoenix_Colo# Reimer, Fred wrote: > You do need NAT traversal if you "only" change the IP addresses. > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary information which > may be legally privileged. It is intended only for the named recipient(s). > If an addressing or transmission error has misdirected the email, please > notify the author by replying to this message. If you are not the named > recipient, you are not authorized to use, disclose, distribute, copy, print > or rely on this email, and should immediately delete it from your computer. > > > -----Original Message----- > From: Raj [mailto:[EMAIL PROTECTED] > Sent: Monday, September 08, 2003 11:14 AM > To: [EMAIL PROTECTED] > Subject: IPSEC with STATIC NAT [7:74971] > > Hey There > > I am working on a solution for IPsec using vpn concentrator and VPN hardware > clients(PIX). The PIX outside has a public address and the only NAT taking > place is at the edge router and the vpn concentrator sits behind this > router. The router does a static public-to-private IP nat and i dont think I > would need NAT traversal since it's not changing any ports..only changing > IP's. > > Please let me know if there is anything I would need to do on the edge > router doing the static NAT. I've heard that for STATIC nat to work with > IPSEC, you need to adhere to certain standards. > > Thx to everybody in advance. > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75182&t=74971 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
