First we’ll discuss a basic ipsec tunnel between two ISRs:
RTR-A
Define IKE Phase 1 Policy (ISAKMP)
crytpo isakmp policy 10
encryption aes 256
authentication pre-share
hash sha
group 2
Define pre-shared key
crypto isakmp key pr3sh4r3dk3y address 22.2.1.1 no-xauth
Define IKE Phase 2 Policy (IPSEC)
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
access-list 150 permit ip host 192.168.1.1 host 192.168.2.1
Create Crypto Map
crypto map vpn-a-to-b 10 ipsec-isakmp
set peer 22.2.1.1
set transform-set aes-sha
match address 150
Apply Crypto Map to Interface
interface Gi0/0
crypto map vpn-a-to-b
Create a route
ip route 192.168.2.1 255.255.255.255 Gi0/0
RTR-B
Define IKE Phase 1 Policy (ISAKMP)
crytpo isakmp policy 10
encryption aes 256
authentication pre-share
hash sha
group 2
Define pre-shared key
crypto isakmp key pr3sh4r3dk3y address 22.1.1.1 no-xauth
Define IKE Phase 2 Policy (IPSEC)
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
access-list 150 permit ip host 192.168.2.1 host 192.168.1.1
Create Crypto Map
crypto map vpn-b-to-a 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set aes-sha
match address 150
Apply Crypto Map to Interface
interface Gi0/0
crypto map vpn-b-to-a
Create a route
ip route 192.168.1.1 255.255.255.255 Gi0/0
Now the more likely scenario –
two hosts need to talk to the same company and the ips overlap
We’ll use the same instructions, but making some adjustments to RTR-B
Create ACL to match interesting traffic (using natted address this time)
access-list 150 permit ip host 192.168.11.1 host 192.168.2.1
Create route-map
route-map B-to-C permit 10
match ip address B-to-C-ACL
Create ACL to match traffic in the scenario
ip access-list extended B-to-C-ACL
permit ip host 192.168.1.1 host 192.168.2.1
Create NAT statement and apply to interfaces
ip nat inside source static 192.168.1.1 192.168.11.1 route-map B-to-C-ACL extendable
int Gi0/1
description inside
ip nat inside
int Gi0/0
description outside
ip nat outside
This can be done a little simpler with an ASA using a static policy nat
access-list policy-nat extended permit ip host 192.168.1.1 host 192.168.2.1
static (inside,outside) 192.168.11.1 access-list policy-nat