Cisco color

[silverhairb]

I had some paint custom-matched to the color of the Cisco cases. So a few scratches won't matter. They just get painted over and the routers look like new.

This is very much certification forum information since I heard that there are at least three questions on the test that relate to the color of Cisco equipment.

[the other] Bill

 

[burtsbees]

Mixing IPSEC and NAT cannot happen, but SEPARATING them and getting things to work is the trick---exclude the IPSEC traffic (VPN pool of addresses reserved for the VPN when a user connects...like a dhcp pool---user connects, gets assigned an address from the vpn pool)from being NATted...say the vpn pool is 2 addresses, 192.168.1.1 and 1.2, the LAN is in the same subnet (how I recommend doing it in a router)...

access-list 101 deny ip any 192.168.1.0 0.0.0.3
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 int di0 over

di0 being the WAN interface.

Some people like to use a route-map, as the acl may be used for different things like NBAR, CAR, etc. along with NAT.

You may ask, "why not just make the vpn pool a different subnet?" Well, I tried one time, did not work, so I did it this way, worked now for over a year in two different routers. Oh yeah---the vpn pool...

ip local pool VPN 192.168.1.1 192.168.1.2

Burt

 

[maczen]

Tim,
"Mixing IPSEC and NAT cannot happen"...
Technically wouldn't NAT-T allow mixing of IPsec and NAT???

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_NAT_Transparency

Either way, thanks for the info! I will definitely put it to good use! LoL

B Haines
CCNA Security, CCNA R&S, ETA FOI

 

[burtsbees]

That's how IPSEC BYPASSES NAT, not use it...I think...I'll read that...

Burt

 

[maczen]

You are correct (as usual! LoL)!

http://www.networksorcery.com/enp/rfc/rfc3948.txt

B Haines
CCNA Security, CCNA R&S, ETA FOI