11-05-2007 10:51 AM - edited 02-21-2020 03:21 PM
Hello all!!
I'm setting up a LAN-2-LAN ipsec tunnel between a cisco 1841 router and a VPN concentrator 3000.
Here's the running config for the router and basically what I'd like to know is to make sure I've put everything in place to make this work. So can you please take a quick look and see if you find something kinda weird and if so let me know!!
*****************************************
NOTE:
1. Internal addressing behind the VPN concentrator: 172.4.4.0 /24
2. Internal addressing behind the CISCO 1841 router 172.16.20.0 /24
*****************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname UACA-VPN
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
!
!
! IKE Policies
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp aggressive-mode disable
!
!
! IPSec policies
crypto ipsec transform-set ENLACE-UACA-BNCR esp-3des esp-sha-hmac
!
crypto map ENLACE-UACA-BNCR 10 ipsec-isakmp
set peer 200.91.79.6
set peer 200.122.146.38
set transform-set ENLACE-UACA-BNCR
crypto ipsec key xxxxxxxxxxxx address 200.91.79.6
! Traffic to encrypt according to ACL 101
match address 101
interface FastEthernet0/0
description WAN Interface VPN tunnel
ip address 201.196.33.30 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ENLACE-UACA-BNCR
!
interface FastEthernet0/1
description LAN Interface
ip address 172.16.20.22 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!VPN pool
!
ip nat pool VPN-Pool 201.196.33.30 201.196.33.30 netmask 255.255.255.248
ip nat inside source route-map NO-NAT pool VPN-Pool overload
ip route 0.0.0.0 0.0.0.0 201.196.33.25
!Traffic to be encrypted
!
access-list 101 permit ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255
access-list 101 permit tcp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000
access-list 101 permit udp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000
!Traffic excluded from NAT process
!
access-list 102 deny ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255
!
route-map NO-NAT permit 10
match ip address 102
!
!
!
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
****************END**********************
Thanks a lot in advance for your help
Glenn
Solved! Go to Solution.
11-07-2007 09:43 AM
Thanks for the configuration.
So, you are natting and then encrypting the natted traffic. Which is absolutely fine. The reason, your ping is not working after you apply the crypto map is due to the below ACL entries:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
The above acl entries are part of the Crypto Interesting Traffic. So, once you apply the crypto map the router is supposed to encrypt all ICMP Echo and Echo-Reply, including traffic that is sourced with your 201.x.x.x ip address. If you remove those two entries of the ACL 101 and apply only the below entries, then ICMP should work with crypto map applied.
access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7
access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000
access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000
After you make the changes, make sure that crypto acl's are mirror images on VPN3000 and router, or otherwise you will have problems in bringing up the tunnel.
Let me know how the test goes without the ICMP entries in ACL 101.
Regards,
Arul
11-06-2007 08:14 AM
Couple of quick comments:
1. There are two set peer IP Addresses under the crypto map. If you dont really need two ip addresses, then it should only one.
2. crypto ipsec key xxxxxxxxxxxx address 200.91.79.6 should be crypto isakmp key xxxxxxxxxxxx address 200.91.79.6
3. Just curious to know that you have "permit ip" in the first access-list entry and then TCP/UDP in the second and third entries. If you permit IP, then there is no need to specifically have TCP and UDP. Also, make sure that the interesting traffic on the remote side is a mirror image of the one configured on the router.
4. In your ACL 102 for route-map NO-NAT, I see that you have a deny statement but not a permit statement for other NON VPN Traffic that has to be NATTed in order to reach ip addresses on the internet.
access-list 102 deny ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255
access-list 102 permit ip 172.16.20.0 0.0.0.255 any.
Regards,
Arul
11-06-2007 05:46 PM
Thanks a lot for your comments, really appreciate...
For comment #1 i need to configure a fallback peer but thx for the heads-up!
for comments #2 and #4 you're right, kinda slipped on that one
for # number 3 i needed to include tcp and upd port numbers which will be listening for request (though I was informed of that today..)
NOW, i have a new issue going on which I don't know the cause of. Can you please take a look at my new post ?
Thank you
11-06-2007 05:53 PM
in fact.. let me first ask you....
I'm not able to ping my directly connected interface or any other ip address on my local subnet 200.196.33.24/29 when applying the crypto map statement to the interface.
is this the right behavior ? will this affect the tunnel setup between peers ?
thx
heres the example:
***********************************************************************
UACA-VPN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
UACA-VPN(config)#interface fastEthernet 0/0
UACA-VPN(config-if)#crypto map ENLACE-UACA-BNCR
UACA-VPN(config-if)#
*Nov 6 23:43:10.991: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
UACA-VPN(config-if)#exit
UACA-VPN(config)#exit
*Nov 6 23:43:17.903: %SYS-5-CONFIG_I: Configured from console by console
UACA-VPN#ping 201.196.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.196.33.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UACA-VPN#ping 201.196.33.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UACA-VPN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
UACA-VPN(config)#interface fastEthernet 0/0
UACA-VPN(config-if)#no crypto map ENALACE-UACA-BNCR
UACA-VPN(config-if)#
*Nov 6 23:44:18.427: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
UACA-VPN(config-if)#end
UACA-VPN#
*Nov 6 23:44:29.891: %SYS-5-CONFIG_I: Configured from console by console
UACA-VPN#ping 201.196.33.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
UACA-VPN#ping 201.196.33.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.196.33.30 , timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
UACA-VPN#
***********************************************************************
UACA-VPN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
UACA-VPN(config)#interface fastEthernet 0/0
UACA-VPN(config-if)#crypto map ENLACE-UACA-BNCR
UACA-VPN(config-if)#
*Nov 6 23:43:10.991: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
UACA-VPN(config-if)#exit
UACA-VPN(config)#exit
*Nov 6 23:43:17.903: %SYS-5-CONFIG_I: Configured from console by console
UACA-VPN#ping 200.196.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.196.33.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UACA-VPN#ping 200.196.33.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.196.33.25, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UACA-VPN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
UACA-VPN(config)#interface fastEthernet 0/0
UACA-VPN(config-if)#no crypto map ENALACE-UACA-BNCR
UACA-VPN(config-if)#
*Nov 6 23:44:18.427: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
UACA-VPN(config-if)#end
UACA-VPN#
*Nov 6 23:44:29.891: %SYS-5-CONFIG_I: Configured from console by console
UACA-VPN#ping 200.196.33.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
UACA-VPN#ping 200.196.33.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.196.33.30 , timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
UACA-VPN#
11-07-2007 09:05 AM
Glad one of the issue is resolved and thanks for rating.
As far as not able to ping when crypto map is applied, can you check the IPSEC Access-lists and make sure that you have not included the outside ip subnet to the interesting traffic.
Typically, you encrypt LAN to LAN Traffic and this should not include your WAN IP addresses. So, even when the crypto map is applied, since the WAN IP Addresses are not part of the interesting traffic, they will be routed in clear text and able to ping the next hop and ip addresses on the same subnet.
Can you post the current configuration from the router which will be very helpful in troubleshooting the issue.
Regards,
Arul
11-07-2007 09:29 AM
Here it is along with a brief description of the scenario here...
172.4.4.0/24-->VPN3000----ISP----1841<--192.168.2.0/24
The VPN3000 will be the one triggering the VPN tunnel setup.
Remote host 172.4.4.5 will be querying a local database at 192.168.2.14:1000
According to my "remote peer" specifications I have to NAT the local address 192.168.2.14
to the Global address 172.17.0.65 in order for the VPN 3000 to accept returing packets.
As far as I know thats how they've implemented their ACLs in the VPN 3000.
Thats the reason for the static NAT entry in the running-config and thats also the reason for the
ACL 101.
Please let me know if this scenario is clear enough or if you need additional input from my side. Again, thx a bunch
***********************************************************************************************
UACA-VPN#show running-config
Building configuration...
Current configuration : 2550 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname UACA-VPN
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$n8of$osX1TuEuCWxuhMXwNp3WQ0
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
!
!
!
!IKE Phase 1 parameters
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 ***** address 200.122.146.39
!
!IPSec phase 2 parameters
!
crypto ipsec transform-set ENLACE-UACA-BNCR esp-3des esp-sha-hmac
!
crypto map ENLACE-UACA-BNCR 10 ipsec-isakmp
set peer 200.122.146.39
set peer 200.91.79.6
set transform-set ENLACE-UACA-BNCR
!traffic to encrypt according to ACL 101
!
match address 101
!
!
interface FastEthernet0/0
description WAN interface. Local peer for VPN tunnel setup
ip address 201.196.33.30 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ENLACE-UACA-BNCR
!
interface FastEthernet0/1
description LAN interface
ip address 192.168.2.4 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
ip route 0.0.0.0 0.0.0.0 201.196.33.25
!
!
no ip http server
no ip http secure-server
!
ip nat inside source static 192.168.2.14 172.17.0.65
!
!
!
access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7
access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000
access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password 7 08146D6D285413071C
login
!
scheduler allocate 20000 1000
end
***********************************************************************************************
11-07-2007 09:43 AM
Thanks for the configuration.
So, you are natting and then encrypting the natted traffic. Which is absolutely fine. The reason, your ping is not working after you apply the crypto map is due to the below ACL entries:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
The above acl entries are part of the Crypto Interesting Traffic. So, once you apply the crypto map the router is supposed to encrypt all ICMP Echo and Echo-Reply, including traffic that is sourced with your 201.x.x.x ip address. If you remove those two entries of the ACL 101 and apply only the below entries, then ICMP should work with crypto map applied.
access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7
access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000
access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000
After you make the changes, make sure that crypto acl's are mirror images on VPN3000 and router, or otherwise you will have problems in bringing up the tunnel.
Let me know how the test goes without the ICMP entries in ACL 101.
Regards,
Arul
11-07-2007 09:56 AM
Sweet!!!
It worked and it made TOTAL SENSE!!! I should have seen that.. know i know it!! Thanks a lot Arul...
I'm about to start testing so there might be a chance for a new post... Any help will be greatly appreciated!!
b safe
>Glenn
11-08-2007 08:22 AM
Hi Arul....
We haven't been able to start testing due to some unexpected problems that went on yesterday... and taking advantage on that I'd like to ask you something that just popped into my head...
The whole deal about including the
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
statements in my crypto access-list was to make icmp echo messages part of the "interesting traffic" 'cause i thought that in order to bring up the tunnel (when testing) for the first time my remote peer needs to ping me (you know, to cause the flow of interesting traffic)am I making sense here ? i hope...
anyhow...
If i do not include those entries in my access-list will my remote peer will be able to ping me and bring up the tunnel ? if so how ? cause i dont see it ;)
thanks for takinig the time in responding my questions....
Glenn
11-12-2007 09:07 AM
Glenn,
If you are still using the below access-list list for the interesting traffic, then you dont need to specifically permit ICMP in the ACL, since IP includes TCP, UDP, ICMP, etc.
access-list 101 permit ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255
In case if you have configured specific access-list permitting only TCP and UDP, then you need to include ICMP as well to make Ping work and bring up the tunnel for testing purposes, etc.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide