Configuring Router-to-Router Dynamic-to-
Static IPSec with NAT
Introduction
In this sample configuration, a remote router receives an IP address through Dynamic Host Configuration Protocol
(DHCP) and connects to a hub router. This configuration enables the hub router to accept dynamic IPSec
connections. The remote router uses network address translation (NAT) to "join" the privately addressed devices
behind it to the privately addressed network behind the hub router. The remote router can initiate connections to the
hub router (it knows the end-point) but the hub router cannot initiate connections to the remote router (it does not
know the endpoint).
In this sample configuration, Dr_whoovie is the remote router and Sam-i-am is the hub router. Even though we
know what Dr_whoovie's IP address, we configure Sam-I-am to dynamically accept connections from any router
knowing the wild-card, pre-shared key, instead of specifying Dr_whoovie's key on sam-i-am. Dr_whoovie knows
what traffic is to be encrypted (because it is specified by the access-list) and where the sam_i_am endpoint is
located. Dr_whoovie must initiate the connection. Both sides are doing NAT overload.
Hardware and Software Versions
To implement this configuration, you need the following:
• Cisco IOS
®
Software Release 12.0.7.T
• Cisco 2500 routers
Network Diagram
Configurations
Sam-i-am Configuration
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sam-i-am

interface Serial0
ip address 99.99.99.1 255.255.255.0
no ip directed-broadcast
ip nat outside
crypto map rtptrans
!
!--- Except the private network from the NAT process.
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.99.99.2
no ip http server
!
!--- Include the private-network-to-private-network traffic
!--- in the encryption process.
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny ip 10.2.2.0 0.0.0.255 any
!--- Except the private network from the NAT process.
access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map nonat permit 10
match ip address 120
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login

set transform-set rtpset
!--- Include the private-network-to-private-network
!--- traffic in the encryption process.
match address 115
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no mop enabled
!
interface Serial0
!--- Because this example was set up in a lab, we assigned
!--- an IP address. If the router was getting a DHCP
!--- address, commands such as ip address negotiated and
!--- ip address dhcp would be used instead of this static
!--- assignment.
ip address 99.99.99.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip mroute-cache
clockrate 4000000
crypto map rtp
!--- Except the private network from the NAT process.
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.99.99.1
no ip http server
!
!--- Include the private-network-to-private-network

translation table.
• show crypto ipsec sa - Shows the phase 2 security associations.
• show crypto isakmp sa - Shows the phase 1 security associations.