site to site vpn with NAT

Answered Question
Jun 18th, 2009
User Badges:

I am configuring site-to-site vpn with cisco routers, both ends have Live IPs,


I am following up the following document for creating the vpn, In this case VPN tunnel works fine, but the internet service stops on both ends,


I have private network inside the router and vlans are configured, Vlans must be natted to get access of internet service,


when I remove the statements, ip nat inside and ip nat outside from the inside and outside interfaces,, my tunnel goes UP and works fine,, but as soon I add the NAT commands to the respective interfaces, the tunnel goes down but internet service starts,,,


The author havn't mentioned any NAT statement,,


1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.


Router(config)#crypto isakmp policy 9


Router(config-isakmp)#hash md5


Router(config-isakmp)#authentication pre-share


2. Setup the shared key that would be used in the VPN,


Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX


where,


VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.


XXX.XXX.XXX.XXX the static public IP address of the other end.


3. Now we set lifetime for the IPSec security associations,


Router(config)#crypto ipsec security-association lifetime seconds YYYYY


where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.


4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,


Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK


where,


AAA is the access-list number


SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.


DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though the VPN link.


5. Define the transformations set that will be used for this VPN connection,


Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC


where,


SETNAME is the name of the transformations set. You can choose any name you like.


BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.


6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.


Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp


Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX


Router(config-crypto-map)#set transform-set SETNAME


Router(config-crypto-map)#match address AAA


where,


MAPNAME is a name of your choice to the crypto-map


PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.


XXX.XXX.XXX.XXX the static public IP address of the other end


SETNAME is the name of the transformations set that we configured in step 5


AAA is the number of the access-list that we created to define the traffic in step 4


7. The last step is to bind the crypto-map to the interface that connects the router to the other end.


Router(config-if)#crypto map MAPNAME


where MAPNAME is the name of the crypto-map that we defined in step 6.

Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.


Please Advise,


Regards,


Junaid

Correct Answer by thotsaphon about 7 years 9 months ago

Junaid, Hi,it's me again!!! How have you been?


"VPN Client connects and can use server resources successfully but its own (vpn client's) Internet service stops"


Time to use "Split-tunnelling" for remote access vpn clients.



!

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

!

crypto isakmp client configuration group vpnclient

acl 111

!



Edit: Yes, There is an implicit deny there. However I always configure ACLs to deny/permit the exact traffic for VPN. One thing is to correctly see the hits of traffic flows when using a "show access-list XXX" command. Am I right? (grin)


HTH, What about the rating system? J/K

Toshi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
thotsaphon Thu, 06/18/2009 - 00:48
User Badges:
  • Gold, 750 points or more

Junaid,

Please post configuration regarding NAT and ACLs for VPN interesting traffic,AAA.

Keep in mind you do NAT before cryto functions. So you need to deny interesting traffic in ACLs for NAT(if used).


Let's check out this link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml



I'm waiting for your reply. (grin)

Toshi


junshah22 Thu, 06/18/2009 - 01:01
User Badges:

Dear Toshi,


In the above example, Router-A is configured to translate the inside local address 171.68.200.48 to 172.16.47.150, as shown in the configuration below.


The above mentioned IPs are missing in the diagram,,


Please advise

junshah22 Thu, 06/18/2009 - 01:15
User Badges:

Please see my configuration,, in this router,, remote client vpn and a site to site vpn will run at the same time,,


MTL-2811#sh run

Building configuration...


Current configuration : 6257 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MTL-2811


boot-start-marker

boot-end-marker

enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxxxk0

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

resource policy

memory-size iomem 10

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

voice-card 0

no dspfarm

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxx/


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 55.55.233.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset


crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 55.55.233.210

set transform-set myset

match address 100

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 56.56.232.21 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 14.1.1.100 14.1.1.200

ip route 0.0.0.0 0.0.0.0 55.56.232.17

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0

ip route 192.168.11.0 255.255.255.0 192.168.74.2

!

ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389

ip nat inside source list 160 interface FastEthernet0/1 overload

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit tcp any any eq ftp

permit ip host 192.168.10.8 any

permit tcp any any eq smtp

permit tcp any any eq pop3

permit ip host 192.168.2.81 any

permit ip host 192.168.10.7 any

permit ip host 192.168.11.11 any

permit ip host 192.168.4.2 any

permit ip host 192.168.4.81 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip host 192.168.5.8 any

permit ip host 192.168.10.99 any

permit ip host 192.168.9.221 any

permit ip host 192.168.10.215 any

permit ip host 192.168.10.221 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip host 192.168.6.19 any

permit ip host 192.168.1.4 any

permit ip host 192.168.10.208 any

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 100 permit ip 192.168.74.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 160 permit ip any any

access-list 160 permit tcp any any

snmp-server community public RO

snmp-server community foobar RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

!

control-plane

dial-peer cor custom

!

line con 0

password xxxxxxx

line aux 0

line vty 0 4

password xxxxxxxx

!

scheduler allocate 20000 1000

!

end

MTL-2811#


junshah22 Thu, 06/18/2009 - 01:20
User Badges:

In the above configuration, my internet is running on the internal network,,


Remote User connects via cisco VPN client but unable to get access to my servers in the 192.168.1.0 subnet,,


As well, remote user's Internet service stops,,,,


I would like to solve this issue first,, then I will concentrate to the site-to-site vpn,,,


PLEASE ADVISE

thotsaphon Thu, 06/18/2009 - 01:24
User Badges:
  • Gold, 750 points or more

Junaid,

Thanks for useful information. I will give you an example.


- Network's behind RouterA is 192.168.74.0/24

- Network's behind RouterB is 192.168.21/0/24

- They are using F0/1 for WAN interface.



====RouterA=====

!

ip nat inside source list DENY_LANA_GO_NAT interface F0/1 overload

!

!

ip access-list extended DENY_LANA_GO_NAT

deny ip 192.168.74.0 0.0.0.255 192.168.21.0.0 0.0.3.255

permit ip 192.168.74.0 0.0.0.255 any

!

ip access-list extended LANA_TO_LANB

permit ip 192.168.74.0 0.0.0.255 192.168.21.0.0 0.0.3.255

!

Router(config)#crypto map clientmap PRIORITY ipsec-isakmp

Router(config-crypto-map)#match address LANA_TO_LANB

!



Hopes this link can help you some:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml



Please let me know how things work out.


HTH,

Toshi

junshah22 Thu, 06/18/2009 - 03:34
User Badges:

Dear,


Please look into my current configuration now,,,


sh run

Building configuration...


Current configuration : 6545 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MTL-2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxk0

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

!

resource policy

!

memory-size iomem 10

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

!

voice-card 0

no dspfarm


username Junaid privilege 15 secret 5 $1$ddSB$x5HZhS9Xai9Z6dzvpavLx/

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 55.55.233.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 55.56.233.210

set transform-set myset

match address lana_to_lanb

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 55.55.232.21 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 14.1.1.100 14.1.1.200

ip route 0.0.0.0 0.0.0.0 58.27.232.17

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2


Other routes are added in actual 192.168.3.0 - 11.0, i removed it because of forum restriction

!

ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389

ip nat inside source list deny_lana_go_nat interface FastEthernet0/1 overload

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit tcp any any eq ftp

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

permit ip host 192.168.10.208 any

permit ip host 192.168.2.17 any

permit ip 192.168.1.0 0.0.0.255 any


ip access-list extended deny_lana_go_nat

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

permit ip 192.168.74.0 0.0.0.255 any

ip access-list extended lana_to_lanb

permit ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

!

snmp-server community public RO

snmp-server community foobar RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

!

control-plane

dial-peer cor custom


----------------------------------------

In this scenario,

- VPN connects, I can ping my servers in 192.168.1.0 network

- unable to remote access my servers let suppose 192.168.1.15

- Local Network (192.168.2.0 - 192.168.11.0) Internet service stops


If I permit 192.168.2.0 - 192.168.11.0 in the extended acl (deny_lana_go_nat), Internet service on internal network Runs but VPN is unable to get access...


My other site (site b) is off right now...


PLEASE ADVISE

thotsaphon Thu, 06/18/2009 - 07:19
User Badges:
  • Gold, 750 points or more

Junaid,

Well,Please provide me with the exact traffic going from where to where. Okay let's assume things.


1. Interesting traffic for Site-to-Site VPN is as follows:

SiteA

192.168.74.0 to 192.168.20.0/22

192.168.1.0 to 192.168.20.0/22


SiteB

192.168.20.0/22 to 192.168.74.0/24

192.168.20.0/22 to 192.168.1.0/24


2. Remote access VPN traffic is as follows:

14.1.1.0/24 to 192.168.1.0/24

14.1.1.0/24 to 192.168.74.0/24


Note: Don't use 14.x.x.x again. RFC1918


3. Internet traffic is as follows:

192.168.1.0/24 - 192.168.11.0/24 ,192.168.74.0/24



=======RouterA========

!

ip access-list extended LANA_TO_LANB

permit ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255

!

!

ip access-list extended DENY_VPN_GO_NAT

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.74.0 0.0.0.255 14.1.1.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.1.0 0.0.0.255 14.1.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.255.255 any

!

crypto map clientmap 1 ipsec-isakmp

match address LANA_TO_LANB

!

ip nat inside source list DENY_VPN_GO_NAT interface F0/1 overload

!



Let's take a deep breath!!!



=======RouterB========

Just for Site-to-Site VPN.

!

ip access-list extended LANB_TO_LANA

permit ip 192.168.20.0 0.0.3.255 192.168.74.0 0.0.0.255

permit ip 192.168.20.0 0.0.3.255 192.168.1.0 0.0.0.255

!

!

crypto map XXXXXX ipsec-isakmp

match address LANB_TO_LANA

!



Hopes I help you some.(grin)

Toshi


junshah22 Thu, 06/18/2009 - 22:46
User Badges:

Toshi you are great!!!!


Please see my current configuration, in this scenario, VPN Client connects and can use server resources successfully but its own (vpn client's) Internet service stops,,, I still not attached my site-B, because I will have to go there for configuration,, will tell you about that very soon,


PLEASE ADVISE..


version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MTL-2811

boot-start-marker

boot-end-marker


enable secret 5 $xxxxxxxxxxxxx0u.

!

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

resource policy

memory-size iomem 10

!

ip cef

ip domain name millat.com.pk

ip name-server 10.16.6.11

!

voice-card 0

no dspfarm

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxDf.


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 55.56.233.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset


crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 55.56.233.210

set transform-set myset

match address lana_to_lanb

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 55.55.232.20 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 192.168.55.100 192.168.55.200

ip route 0.0.0.0 0.0.0.0 55.55.232.17

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

----- other routes are added, from 3-11

!

ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389


ip nat inside source list deny_vpn_go_nat interface FastEthernet0/1 overload

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip host 192.168.5.8 any

permit ip host 192.168.10.99 any

permit ip host 192.168.9.221 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended deny_vpn_go_nat

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

permit ip 192.168.0.0 0.0.255.255 any


ip access-list extended lana_to_lanb

permit ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255

!

snmp-server community public RO

snmp-server community foobar RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

!

control-plane

!

dial-peer cor custom

!

line con 0

password Pajero

line aux 0

line vty 0 4

password Pajero2009

!

scheduler allocate 20000 1000

MTL-2811#



Sam Smiley Fri, 06/19/2009 - 11:28
User Badges:

To save yourself a great deal of headache replace these lines in your deny_vpn_go_nat access list:


Replace these...

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255


With these...

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255

deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255

deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255


You can do the access list on a subnet by subnet basis, however I've found just adding all of the private subnets is much easier. Then you won't go crazy trying to find NAT problems. There is really no need to NAT any of the private addresses.


Cheers,

Sam

junshah22 Sat, 06/20/2009 - 02:10
User Badges:

Do I need to add a permit statment like its available in my previous config,,


permit ip 192.168.0.0 0.0.255.255 any


because, there is an implicit deny at the end of the ACL,, so every traffic will be blocked....


Am I right???



Correct Answer
thotsaphon Sat, 06/20/2009 - 08:29
User Badges:
  • Gold, 750 points or more

Junaid, Hi,it's me again!!! How have you been?


"VPN Client connects and can use server resources successfully but its own (vpn client's) Internet service stops"


Time to use "Split-tunnelling" for remote access vpn clients.



!

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

!

crypto isakmp client configuration group vpnclient

acl 111

!



Edit: Yes, There is an implicit deny there. However I always configure ACLs to deny/permit the exact traffic for VPN. One thing is to correctly see the hits of traffic flows when using a "show access-list XXX" command. Am I right? (grin)


HTH, What about the rating system? J/K

Toshi

Giuseppe Larosa Sat, 06/20/2009 - 09:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Toshi,

you did a very good job in this thread



Best Regards

Giuseppe

thotsaphon Sat, 06/20/2009 - 11:34
User Badges:
  • Gold, 750 points or more

Giuseppe,

Many Thanks. As far as I know is that you have been helping people(a lot!) here. 5P! as always


Best Regards,

Toshi

junshah22 Mon, 06/22/2009 - 00:29
User Badges:

Toshi,


You really done a good job, you are great,,,, THANKS..


My one big problem has resolved now, i.e.,, (Remote Client VPN with remote user's internet service),,


Now, I have to connect my site b via vpn,, I will send you site b's config very soon,


Absolutely, you have a right to get (excellent rating) and you will get it very soon :-) as soon my site b will start working,,,


BEST REGARDS,


JUNAID

junshah22 Tue, 07/14/2009 - 23:54
User Badges:

Toshi,


Its me (Junaid) again,, I hope you are well,


I configured my site b router for site to site vpn and added your advised commands,


VPN started working fine, as well, Internet service was working too, but


these services was available to only one user while the other users on the same network subnet was unable to get access of servers as well Internet,


Means,

Servers access + Internet was working only on one PC


Is there any tcp connections problem??


Regards,


Junaid

junshah22 Fri, 08/28/2009 - 21:35
User Badges:

Hi Toshi,


I configured regional office router for site-to-site vpn but having a problem,


VPN users are unable to connect to this router, I can access my servers at the other end from my PC, but unable to ping from router,, AMAZING!!!


plz see my config below for regional office,,,


sh run

Building configuration...


Current configuration : 3036 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname MTL-1811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxxxxxxxxe/

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common


!

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

!

multilink bundle-name authenticated

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxxx0

username Farogh privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxxxx1


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

--More-- !

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 58.27.232.18 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap client authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 58.27.232.18

set transform-set myset

--More-- match address lanb_to_lana

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1

ip address 58.27.233.210 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.21.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip local pool ippool 192.168.56.100 192.168.56.200

--More-- ip route 0.0.0.0 0.0.0.0 58.27.233.209

!

no ip http server

no ip http secure-server

ip nat inside source list deny_vpn_go_nat interface FastEthernet1 overload

!

ip access-list extended deny_vpn_go_nat

deny ip 192.168.21.0 0.0.0.255 192.168.56.0 0.0.0.255

deny ip 192.168.21.0 0.0.0.255 192.168.74.0 0.0.0.255

deny ip 192.168.56.0 0.0.0.255 192.168.74.0 0.0.0.255

deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.56.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended lanb_to_lana

permit ip 192.168.20.0 0.0.3.255 192.168.74.0 0.0.0.255

permit ip 192.168.20.0 0.0.3.255 192.168.1.0 0.0.0.255

!

snmp-server community public RO

snmp-server community foobar RO

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop


control-plane

line con 0

password 7 0xxxxxxxxxxxxx3

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

!

Actions

This Discussion