C876 IPSEC VPN with third party router (Draytek Vigor)

Unanswered Question
Feb 17th, 2009

Hi all!

I have a sucessfull ipsec LAN-to-LAN vpn between a cisco (local) and a draytek (remote) routers. I can pass data between two LAN without problems,but...here start my problem. I would like access certain internet IPs from remote side through local internet connection but that not work, seems to be that cisco doesn't process the packets from remote side to internet.

Somebody have an scenario like this or similar and can help me?

Thank you in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 02/17/2009 - 10:11

Do you know if those public addresses are assigned physically to those devices you want to reach? Tipically those ip addresses are only assigned via a one to one nat (as far as cisco perspective) so if when you send those via the tunnel the remote end does not really have those ip on their side then it will fail to connect. how are you defining your crypto maps? Have you included those public addresses on the match address?

david.knet Wed, 02/18/2009 - 09:35

Well, now i am sure that my problem is with NAT.

Finally I config a test router cisco on lab and establish a ipsec tunnel with the other cisco.

This are my configs:

!!!!!!!!ROUTER A

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 1.2.3.4

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 4 ipsec-isakmp

set peer 1.2.3.4

set transform-set cm-transformset-1

match address 162

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 162 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 162 permit ip host 66.102.9.99 10.0.1.0 0.0.0.255

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

!!!!!!!ROUTER B

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 5.6.7.8

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 5.6.7.8

set transform-set cm-transformset-1

match address 110

!

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 permit ip 10.0.1.0 0.0.0.255 host 66.102.9.99

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

Then, when I ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

I think that this occurs because my Dialer1 is a outside interface and traffic from router B arrive via this one and go out to internet again trough Dialer1 without pass trough a nat inside interface.

Somebody knows how can i resolve this?

thanks in advance.

Actions

This Discussion