1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lesson 2 - Configuring Site-to-Site VPN + NAT Adjust

Discussion in 'Other Cisco Equipment' started by DocLarge, Jun 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    ! ================================================== =============
    ! Lesson 2 -- Configuring a Site-to-Site VPN to a Remote Site
    ! ================================================== =============
    ! (remember, The remote site will setup the same information, but in reverse,
    ! for this to work....
    ! Assume local network =, remote network =
    ! Task 1: Configure Phase I Stuff
    ! enable ISAKMP on your system
    crypto isakmp enable
    ! create an ISAKMP (Phase I) policy:
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    group 2
    hash sha
    lifetime 28800
    ! define how the VPN identifies itself (FQDN or IP address)
    crypto isakmp identity address
    ! define the preshared key back to the other VPN gateway (Breezy! in this case)
    crypto isakmp key <secretkey> address A.B.C.D
    ! ----------------------------------
    ! Task 2: Configure Phase II Stuff
    ! ----------------------------------
    ! allow router to negotiate NAT-T
    crypto ipsec nat-transparency udp-encapsulation
    ! setup encryption cipher strength and hash
    crypto ipsec transform-set toBREEZY esp-aes esp-sha-hmac
    ! Configures global IPSec SA lifetime values used when negotiating IPSec security associations
    crypto ipsec security-association lifetime seconds 86400
    ! create an ACL which will define the traffic that will be protected by the VPN
    ! which in our case is source = to destination = (GuardTower to Breezy!)
    access-list 110 permit ip
    ! Define a crypto map which will define the security association to the other VPN gateway
    crypto map VPN-MAP 110 ipsec-isakmp
    match address 110
    set peer A.B.C.D
    set pfs group2
    set transform-set toBREEZY
    set security-association lifetime seconds 86400
    ! apply the crypto map to the outgoing interface
    ! and activate the IPSec policy...
    inteface fastethernet4
    crypto map VPN-MAP
    ! ==========================================
    ! Task 3: Adjust NAT Configuration (3 steps)
    ! ==========================================
    ! This configuration is for inside interface =BVI1, outside =FastEthernet4
    ! It assumes that there already is a basic PAT config on the router
    ! Step 1
    ! ---------------------
    ! Now we'll change your NAT config to use a route-map to define which traffic will and will not
    ! be NAT'd. deny=don't NAT; permit=do NAT
    ! We'll create an access list that defines this rule:
    access-list 199 deny ip
    access-list 199 permit ip any
    ! Step 2
    ! ---------------------
    ! Create a route map which, when applied to the NAT config, will prevent the source=your net / dest'n=my net
    ! traffic from being NAT'd. The access-list 199 defines this pattern:
    route-map nonat permit 10
    match ip address 199
    ! Step 3
    ! -----------------------
    ! Finally, apply the route map "nonat" to the PAT config so the site-to-site traffic *will not* be NAT'd
    ! but all other traffic will
    ! 1st, get rid of the old ip nat overload command....
    no ip nat inside source list 10 interface FastEthernet4 overload
    ! now, in with the new.....
    ip nat inside source route-map nonat interface FastEthernet4 overload
Thread Status:
Not open for further replies.

Share This Page