07-21-2009 11:04 AM - edited 03-04-2019 05:30 AM
Hi,
We have a VPN tunnel setup on the above mentioned router to one of our partners. Here is the Setup
Partner VPN Router 7.7.7.2 <--> Internet <--> (6.6.6.6) Internet Router (10.1.1.1) <--> (10.1.1.2) VPN Router(6.6.6.2).
The VPN router has 2 interfaces with 10.1.1.2 (also to reach the servers in the internal network) and 6.6.6.2 just terminated on a switch to keep the interface up.
Please find the config below:
{
version 12.2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp key ********* address 7.7.7.2
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap local-address FastEthernet2/0
crypto map mymap 10 ipsec-isakmp
set peer 7.7.7.2
set transform-set myset
set pfs group2
match address 160
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
duplex full
no cdp enable
crypto map mymap
!
interface FastEthernet2/0
ip address 6.6.6.2 255.255.255.240
no ip redirects
no ip unreachables
duplex auto
speed auto
no cdp enable
!
ip route 10.0.0.0 255.0.0.0 10.1.1.3 (to a different router to reach internal network)
ip route 172.16.0.0 255.255.0.0 10.1.1.1
no ip http server
!
!
access-list 160 permit ip host 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
}
We are able to reach the remote partner network and they can reach us too. Iam interested to know how it works when the Crypto map being applied on the internal interface. Can someone help me clarify this config. please
Thx,
Subra
07-21-2009 11:30 AM
Hello Subra,
>> ip route 172.16.0.0 255.255.0.0 10.1.1.1
this static route does the trick:
traffic destined to net 172.16.0.0/16 is sent out the internal interface where it matches the ACL of the crypto map and so gets encrypted and is sent to ipsec peer.
However, I agree that the external interface should be the place where to place this crypto map so that you can be sure of a correct behaviour for all internal vlans in net 10/8 like acl 160
access-list 160 permit ip host 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
For example we have used this trick on a remote site that has a secondary crypto map applied to a loopback interface.
Hope to help
Giuseppe
07-22-2009 02:07 AM
Hi,
Thanks for your Inputs.
Now we would like to do some natting on the VPN like for e.g. 10.10.10.10 Xlated to 192.168.10.10 for the remote subnet. How do we assign the the inside and outside interface?
Thx,
Sundar
07-22-2009 03:30 AM
Hello Sundar,
you should use GRE inside IPSec for achieving this
the GRE traffic becomes the only one to be encrypted
remote ip subnet has to point to the GRE tunnel with a static route
GRE tunnel is the place where to put the ip nat outside command
tunnel GRE destination has to be reached via the interface where the crypto map is applied.
Hope to help
Giuseppe
07-22-2009 04:29 AM
Hi Giuseppe,
We are trying to introduce NAT into the environmet without the remote end intervention.PLease let me know, if we could achieve this.
Thx,
Sundar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: