Hi Group,
I gave a question regarding IPSec and NAT configuration. I am trying to
configure IPSec between a 3640 and 1605. The diagram of the network is
shown below:
--------------
--------------
| |
150.26.154.249/30 | |
-------fa0/0--||| 3640
|||--S0/0-------------------S0--||| 1605 |||--E0---
192.168.64.1/24 | |
150.26.154.250/30 | | 192.168.128.1/24
-------------- IPSec
channel --------------
IPSec needs to be configured between the 3640: S0/0 interface and 1605:
S0 interface.
Both 3640:S0/0 and 1605:S0 are using global IP address. Both 3640:fa0/0
and 1605:E0 are using private IP address. NAT is configured on both
3640 and 1606 to translate between the private and global IP addresses.
According to Cisco CCO, "If you use network address translation (NAT),
you should configure static NAT translations so that IPSec will work
properly. In general, NAT translation should occur before the router
performs IPSec encapsulation;in other word, IPSec should be working with
global address".
My questions are that,
(1) What does it mean by "NAT translation should occur before the router
performs IPSec encapsulation;in other word, IPSec should be working with
global address"? Does that mean I need one more router at both end to
do the NAT?
(2) Can I do IPSec with the diagram show above? If I can, how should I
configure the access-list? Should I be using the global or private IP
address in the acess-list, i.e. which one of the next two is correct,
A. access-list 120 permit ip 192.168.64.0 0.0.0.255 192.168.128.0
0.0.0.255
B. access-list 120 permit ip 150.26.154.249 0.0.0.0 150.26.154.250
0.0.0.0
I know quite a few people out there are CCNP-Security certified. Please
help me out. Thank you very much for your help in advance.
George Zhang, CCNP
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
