Configuring Router-to-Router Dynamic-to- Static IPSec with NAT Introduction In this sample configuration, a remote router receives an IP address through Dynamic Host Configuration Protocol (DHCP) and connects to a hub router. This configuration enables the hub router to accept dynamic IPSec connections. The remote router uses network address translation (NAT) to "join" the privately addressed devices behind it to the privately addressed network behind the hub router. The remote router can initiate connections to the hub router (it knows the end-point) but the hub router cannot initiate connections to the remote router (it does not know the endpoint). In this sample configuration, Dr_whoovie is the remote router and Sam-i-am is the hub router. Even though we know what Dr_whoovie's IP address, we configure Sam-I-am to dynamically accept connections from any router knowing the wild-card, pre-shared key, instead of specifying Dr_whoovie's key on sam-i-am. Dr_whoovie knows what traffic is to be encrypted (because it is specified by the access-list) and where the sam_i_am endpoint is located. Dr_whoovie must initiate the connection. Both sides are doing NAT overload. Hardware and Software Versions To implement this configuration, you need the following: • Cisco IOS ® Software Release 12.0.7.T • Cisco 2500 routers Network Diagram Configurations Sam-i-am Configuration Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname sam-i-am ! enable secret 5 $1$7WP3$aEqtNjvRJ9Vy6i41x0RJf0 enable password ww ! ip subnet-zero ! isdn switch-type basic-5ess isdn voice-call-failure 0 cns event-service server ! !--- IKE policies crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 !--- IPSec policies crypto ipsec transform-set rtpset esp-des esp-md5-hmac crypto dynamic-map rtpmap 10 set transform-set rtpset !--- Include the private-network-to-private-network !--- traffic in the encryption process. match address 115 crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap ! interface Ethernet0 ip address 10.2.2.3 255.255.255.0 no ip directed-broadcast ip nat inside no mop enabled ! interface Serial0 ip address 99.99.99.1 255.255.255.0 no ip directed-broadcast ip nat outside crypto map rtptrans ! !--- Except the private network from the NAT process. ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.2 no ip http server ! !--- Include the private-network-to-private-network traffic !--- in the encryption process. access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 115 deny ip 10.2.2.0 0.0.0.255 any !--- Except the private network from the NAT process. access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 120 permit ip 10.2.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit route-map nonat permit 10 match ip address 120 ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end Dr_whoovie Configuration Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dr_whoovie ! enable secret 5 $1$yP65$2FtxvqXPtuZy7hQBwaBoZ/ enable password ww ! ip subnet-zero ! cns event-service server ! !--- IKE Policies crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 99.99.99.1 ! !--- IPSec policies crypto ipsec transform-set rtpset esp-des esp-md5-hmac ! crypto map rtp 1 ipsec-isakmp set peer 99.99.99.1 set transform-set rtpset !--- Include the private-network-to-private-network !--- traffic in the encryption process. match address 115 ! interface Ethernet0 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast ip nat inside no mop enabled ! interface Serial0 !--- Because this example was set up in a lab, we assigned !--- an IP address. If the router was getting a DHCP !--- address, commands such as ip address negotiated and !--- ip address dhcp would be used instead of this static !--- assignment. ip address 99.99.99.2 255.255.255.0 no ip directed-broadcast ip nat outside no ip mroute-cache clockrate 4000000 crypto map rtp !--- Except the private network from the NAT process. ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.1 no ip http server ! !--- Include the private-network-to-private-network !--- traffic in the encryption process. access-list 115 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 115 deny ip 10.1.1.0 0.0.0.255 any !--- Except the private network from the NAT process. access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit route-map nonat permit 10 match ip address 120 ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end debug and show Commands Before attempting any debug commands, please see Important Information on Debug Commands. • debug crypto ipsec - Shows the IPSec negotiations of phase 2. • debug crypto isakmp - Shows the ISAKMP negotiations of phase 1. • debug crypto engine - Shows the traffic that is encrypted. • debug ip nat det - (Optional) Verify the operation of the NAT feature by displaying information about every packet that is translated by the router. Caution: This command generates a large amount of output; it should be used only when traffic on the IP network is low. • clear crypto isakmp - Clears the security associations related to phase 1. • clear crypto sa - Clears the security associations related to phase 2. • clear ip nat translation - Clears dynamic Network Address Translation (NAT) translations from the translation table. • show crypto ipsec sa - Shows the phase 2 security associations. • show crypto isakmp sa - Shows the phase 1 security associations. . Configuring Router- to -Router Dynamic-to- Static IPSec with NAT Introduction In this sample configuration, a remote router receives an. network behind the hub router. The remote router can initiate connections to the hub router (it knows the end-point) but the hub router cannot initiate