05-23-2008 07:45 AM - edited 02-21-2020 03:44 PM
Im trying to make a configuration with fake public adresses to a VPN IPSec (site to site) and this is my config can you please tell me if sothing wrong with it thank u.
And i have a question what should i do more than configuring the two CISCO 2600 routers in each site?? Should i make something else
I would be grateful if you answered my questions .
Please find attached my architecture.
BELL(config)# crypto isakmp policy 1
BELL(config-isakmp)# encryption 3des
BELL(config-isakmp)# hash md5
BELL(config-isakmp)# authentication pre-share
BELL(config-isakmp)# group 2
BELL(config-isakmp)#lifetime 480
BELL(config-isakmp)#exit
BELL(config)#crypto isakmp identity address
BELL(config)# crypto isakmp key BELLcon address 196.203.53.111
BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des
BELL(cfg-crypto-trans)#mode tunnel
BELL(cfg-crypto-trans)# exit
BELL(config)# access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any
BELL(config)# crypto map map_BELL 10 ipsec-isakmp
BELL(cfg-ctypto-map)#set peer 196.203.53.111
BELL(cfg-ctypto-map)#set transform-set ts1
BELL(cfg-ctypto-map)#match address 110
BELL(config)# interface tunnel 0
BELL(config-if)# ip address 192.168.18.1 255.255.255.0
BELL(config-if)# tunnel source 193. 205.53.11
BELL(config-if)# tunnel destination 196.203.53.111
BELL(config-if)# crypto map map_BELL
BELL(config-if)# exit
BELL(config)# interface Dialer0
BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
BELL(config)# ip route 192.168.18.0 255.255.255.0 Ethernet0
BELL(config-if)# exit
Configuration of internet accesvia ADSL
Step 1 : Configuration de l'interface Ethernet0
BELL#configure terminal
BELL(config)#interface ethernet0
BELL(config-if)#ip address 192.168.18.1 255.255.255.0
BELL(config-if)#ip nat inside
BELL(config-if)#ip virtual-reassembly
BELL(config-if)#ip tcp adjust-mss 1412
BELL(config-if)#hold-queue 100 out
BELL(config-if)#exit
Step 2 : Configuration de l'interface Dialer0
BELL#configure terminal
BELL(config)#interface dialer0
BELL(config-if)#ip address negotiated
BELL(config-if)#ip mtu 1442
BELL(config-if)#ip nat outside
BELL(config-if)#encapsulation ppp
BELL(config-if)#ip tcp adjust-mss 1452
BELL(config-if)#dialer pool 1
BELL(config-if)#dialer-group 1
BELL(config-if)#ppp authentication chap callin
BELL(config-if)#ppp chap hostname login_ISF
BELL(config-if)#ppp chap password 0 password_ISF
BELL(config-if)#ppp ipcp dns request
BELL(config-if)#exit
05-23-2008 12:20 PM
Tima
There are several issues to correct and several things that I would suggest that you change:
- address 192.168.18.1 appears as the address for interface tunnel1 and also on interface ethernet0. You can not have two interfaces with the same address like this. Change the address on one of the interfaces.
- you have the crypto map on the tunnel interface and on no other interface. Depending on the version of code, some versions (older code) require that the crypto map be on both the tunnel interface and the outbound interface and some (more recent) require it only on the outbound interface (not the tunnel). Since we do not know what version of code you are running we can not advise which way it should be. But having it only on the tunnel is a problem.
- you have access list 110 as the access list to identify traffic to be protected by IPSec and it specifies IP for entire subnets:
access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
Since you want to encrypt the GRE traffic between router it would be better if the access list permitted GRE host
- you specify the tunnel source address as tunnel source 193. 205.53.11 but I am not clear what that is. Logically I would think it was the dialer interface address. But that is configured as address negotiated. Is this the negotiated address?
- I do not see any need for this static route:
ip route 192.168.18.0 255.255.255.0 Ethernet0
since it identifies the connected interface subnet and that will be routed without any need for static. I do not think that it hurts anything, but neither does it help anything.
HTH
Rick
05-23-2008 11:05 PM
Thank you Rick for your answer.
i didn't notice the first issue thank you for mentioning it .
The IOS's versions in our CISCOs are 12.3 in fact i lack documentation and im a newbie in practisin all what i did before was pure theory unfortunately i never combined practise and theory.
I didn't get the 3rd point you noticed
u mean i put it like that
access-list 110 permit ip 192.168.18.1 0.0.0.254 192.168.1.1 0.0.0.254 ???
-the tunnel source adress 193.205.53.11 is the public adress of my router the one the internet service provider(ISP) gives us.
And i changed my ethernet adresse to 192.168.18.2 and the 192.168.18.1 is for the tunnel
thank you again for your answer.
05-24-2008 01:43 PM
Hi Rick
I tried to follow your recommandations and thsi is what i get now is it what u meant??
or still there something wrong??
I explain more what i want to do :
We dispose of 2 Cisco 2600 routers. Evry router is composed of an ethernet interface and an ADSL interface CONSOLE interface for configuration
⢠On the first site :
- ETHERNET interface connected to the LAN (IP@ 192.168.18.1 mask 255.255.255.0)
- ADSL interface used to connect to internet (adresse IP Bell ADSL : 193.111.12.1 )
⢠On the distent site Call :
- ETHERNET interface connected to the LAN (IP@ 192.168.1.2 masque 255.255.255.0)
- ADSL interface used for connecting to internet (@ IP Call Center ADSL:196.203.53.111)
This is the configuration of the first site router plus step 1 step 2 refers to the ADSL configuration.
BELL(config)# crypto isakmp policy 1
BELL(config-isakmp)# encryption 3des
BELL(config-isakmp)# hash md5
BELL(config-isakmp)# authentication pre-share
BELL(config-isakmp)# group 2
BELL(config-isakmp)#lifetime 480
BELL(config-isakmp)#exit
BELL(config)#crypto isakmp identity address
BELL(config)# crypto isakmp key Bellconsulting address 196.203.53.111
BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des
BELL(cfg-crypto-trans)#mode tunnel
BELL(cfg-crypto-trans)# exit
BELL(config)# access-list 110 permit ip host 193.111.12.1 host 196.203.53.111
BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any
BELL(config)# crypto map map_BELL 10 ipsec-isakmp BELL(cfg-ctypto-map)#set peer 196.203.53.111
BELL(cfg-ctypto-map)#set transform-set ts1
BELL(cfg-ctypto-map)#match address 110
BELL(config)# interface tunnel 0
BELL(config-if)# ip address 192.168.18.1 255.255.255.0
BELL(config-if)# tunnel source 193.111.12.1
BELL(config-if)# tunnel destination 196.203.53.111
BELL(config-if)# exit
BELL (config)# interface ethernet0
BELL(config-if)# cypto map map_bell
BELL (config-if)# exit
BELL(config)# interface Dialer0
BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
BELL(config)# ip route 192.168.18.0 255.255.255.0 Ethernet0
BELL(config-if)# exit
Step 1 : Configuration interface Ethernet0
BELL#configure terminal
BELL(config)#interface ethernet0
BELL(config-if)#ip address 192.168.18.2 255.255.255.0
BELL(config-if)#ip nat inside
BELL(config-if)#ip virtual-reassembly
BELL(config-if)#ip tcp adjust-mss 1412
BELL(config-if)#hold-queue 100 out
BELL(config-if)#exit
Step 2 : Configuration interface Dialer0
BELL#configure terminal
BELL(config)#interface dialer0
BELL(config-if)#ip address negotiated
BELL(config-if)#ip mtu 1442
BELL(config-if)#ip nat outside
BELL(config-if)#encapsulation ppp
BELL(config-if)#ip tcp adjust-mss 1452
BELL(config-if)#dialer pool 1
BELL(config-if)#dialer-group 1
BELL(config-if)#ppp authentication chap callin
BELL(config-if)#ppp chap hostname login_FAI
BELL(config-if)#ppp chap password 0 password_FAI
BELL(config-if)#ppp ipcp dns request
BELL(config-if)#exit
05-24-2008 06:03 PM
Tima
It is some better but still is problematic. Here are my comments:
- you changed the tunnel and Ethernet interface addresses to
interface tunnel 0
ip address 192.168.18.1 255.255.255.0
interface ethernet0
ip address 192.168.18.2 255.255.255.0
and this still puts the Tunnel and the Ethernet into the same subnet and this is a problem.
- you moved the crypto map from the tunnel (which was a problem) to the ethernet0 interface. Is this the outbound interface? It does not look like the outside interface and so putting the crypto map here is still a problem.
- you changed the access list to:
access-list 110 permit ip host 193.111.12.1 host 196.203.53.111
but what I suggested would be:
access-list 110 permit gre host 193.111.12.1 host 196.203.53.111
- you have the tunnel source address as 193.111.12.1 but I can not tell from this configuration what address that is and whether it is correct as the tunnel source or not.
- you still have the static route
ip route 192.168.18.0 255.255.255.0 Ethernet0
but a static route for a connected interface subnet is redundant and useless.
HTH
Rick
05-25-2008 01:36 AM
Hi Rick
Thank you again but my problem is that i want it IPSEC only not GRE over IPSEC so i think i don't have to use the access list that way
05-27-2008 03:40 AM
Tima
In your original post a GRE tunnel was part of your configuration. And GRE tunnels have been part of the other posts from you in this thread. If you now do not want GRE tunnels then remove the GRE tunnel.
HTH
Rick
05-27-2008 07:08 AM
Hi Rick
In fact they want me to do it IPSEC only.I don't know now what to add or to remove im confused
Best regards Tima
05-28-2008 12:33 AM
hi Rick
this is what i got for my VPN IPSEC site to site configuration the LANs adresses does not change, public adresses too
take a look please and tell me what do you think
! configure la priorité de la règle pour le protocole IKE
BELL(config)# crypto isakmp policy 1
! cette commande précise que l'algorithme de hachage sera le MD5.
BELL(config-isakmp)# hash md5
! cette commande indique que l'algorithme de cryptage de paquets qu'on va utiliser est le Triple DES.
BELL(config-isakmp)# encryption 3des
! cette commande indique que la clef d'authentification initiale sera partagée et qu'on ne dispose pas d'autorité de certification CA.
BELL(config-isakmp)# authentication pre-share
! Le group 2 de Diffie Hellman.
BELL(config-isakmp)# group 2
! Spécifie la durée de vie en seconde pour l'association de sécurité (SA) d'IKE.
BELL(config-isakmp)#lifetime 480
BELL(config-isakmp)#exit
! Cette commande indique que l'hôte distant sera identifié par son adresse et que la clé partagé est «Bellconsulting» et elle sera utilisé avec le client distant 196.x.x.111.
BELL(config)# crypto isakmp key Bellconsulting address 196.203.53.111
! fin de configuration
BELL(config)#end
!Définir une combinaison d'associations de sécurité(SA) qui interfère les négociations IPSEC
BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des
! Définir le type de tunnel
BELL(cfg-crypto-trans)#mode tunnel
BELL(cfg-crypto-trans)# exit
! access-list donne le droit aux utilisateurs du réseau LAN distant d'accéder au réseau local du siège.
BELL(config)#access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
! Ces deux access-list seront utilisées pour désactiver le natting entre les deux réseaux LAN et le permettre ailleurs (vers le réseau Internet) .On applique l'access-list 101 avec le natting comme suit :
BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255
BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any
BELL(config)# ip nat inside source list 101 interface Dialer0 overload
! le nom de la crypto map est map_BELL
BELL(config)# crypto map map_BELL 10 ipsec-isakmp
! spécifie l'adresse ip du routeur distant.
BELL(cfg-ctypto-map)#set peer 196.203.53.111
!on applique la transform-set ts1 sur cette crypto map.
BELL(cfg-ctypto-map)#set transform-set ts1
! l'access-list 110 sera appliqué au tunnel VPN.
BELL(cfg-ctypto-map)#match address 110
BELL(config-if)# exit
BELL (config)# interface ethernet0
BELL (config-if)# exit
BELL(config)# interface Dialer0
BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
BELL(config)# ip route 192.168.1.0 255.255.255.0 Ethernet0
BELL(config-if)# cypto map map_bell
BELL(config-if)# exit
best regards
Tima
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: