VPN IPSec subnet problem

Answered Question
Feb 12th, 2010

Hi,

I am trying to configure site-to-site connection using VPN preshared key. The VPN connection is getting up and running, but I am having problems on routing information between subnets.

Our subnet is 192.168.1.0 and we cant use this subnet to establish VPN. Because of that we are using 10.240.86.33 for originate IPSec traffic and destination network (PC) is on 164.2.107.56.

We cant connect to the computer on 164.2.107.56 network, can someone help us acomplishing this conifg?

Our configuration is below:

interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 200.111.XXX.XXX 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet0/1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
router eigrp 1
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.111.XXX.XXX 2
!
!
ip http server
no ip http secure-server
ip nat pool INTERNET 200.111.XXX.XXX 200.111.XXX.XXX netmask 255.255.255.248
ip nat inside source route-map NONAT pool INTERNET overload
ip nat inside source static network 192.168.1.0 164.2.107.0 /24
ip nat inside source static 192.168.1.104 200.111.XXX.XXX
ip nat outside source static network 10.240.86.0 192.168.1.0 /24
!
logging trap debugging
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 15 permit 200.6.103.241
access-list 15 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.240.86.0 0.0.0.255 164.2.107.56 0.0.0.1
no cdp run
!
!
route-map NONAT permit 10
match ip address 10
!
route-map SDM_RMAP_1 permit 1
match ip address 150
!
!
!

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 10 months ago

If you see the traffic getting out to the Internet instead than thorugh the tunnel, then it is because it's not being encrypted.

The traffic to be encrypted is the ACL 101.
If you have this ACL:
access-list VPN permit ip host 10.240.86.33 host 164.2.107.56
Then the traffic should be translated to IP 10.240.86.33 before being encrypted.

Check that your traffic is being translated to that IP with the ''show ip nat translation'' command.

I think that the problem is that the traffic is not being NATed and therefore not being sent through the tunnel.
Check if the problem is with the translation and if you see the translation, then check if the tunnel tries to establish with the command:
''sh cry isa sa''

Federico.

Correct Answer by Federico Coto F... about 6 years 10 months ago

Hi,

This is the router that is terminating the VPN tunnel? (i don't see the VPN configuration).

Since you can't use your real LAN address, you have to NAT before sending traffic through the tunnel.

First you apply the NAT rule, to translate 192.168.1.0/24 to 10.240.86.33 when going to 164.2.107.56

access-list NAT permit ip 192.168.1.0 0.0.0.255 host 164.2.107.56

route-map NAT

match ip address NAT

ip local pool VPNPool 10.240.86.33 10.240.86.33

ip nat inside source route-map NAT pool VPNPool overload

Then, you create the ACL for interesting traffic, from the NATed address to the other's site address

access-list VPN permit ip host 10.240.86.33 host 164.2.107.56

Let's see the results.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Sat, 02/13/2010 - 08:16

Hi,

This is the router that is terminating the VPN tunnel? (i don't see the VPN configuration).

Since you can't use your real LAN address, you have to NAT before sending traffic through the tunnel.

First you apply the NAT rule, to translate 192.168.1.0/24 to 10.240.86.33 when going to 164.2.107.56

access-list NAT permit ip 192.168.1.0 0.0.0.255 host 164.2.107.56

route-map NAT

match ip address NAT

ip local pool VPNPool 10.240.86.33 10.240.86.33

ip nat inside source route-map NAT pool VPNPool overload

Then, you create the ACL for interesting traffic, from the NATed address to the other's site address

access-list VPN permit ip host 10.240.86.33 host 164.2.107.56

Let's see the results.

Federico.

tstevanovic Sat, 02/13/2010 - 20:53

Hi Federico,

Thanks for your replay. You are correct, this is the router that establish VPN connection, I omited the VPN configuration in first post.

I am still unable to reach 164.2.107.56 from 192.168.1.3 computer after applying the configuration.

By making tracert to 164.2.107.56 i see that it goes out to the internet network and it is not routed to VPN.

What did I miss?

Final configuration below (including VPN):

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXX address XXXXX
!
!
crypto ipsec transform-set HSBC esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
! Incomplete
description Tunnel toXXX
set peer XXXXX
set transform-set HSBC
match address 101

!

ip local pool VPNPool 10.240.86.33
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 [PUBLIC IP]
!
!
ip http server
no ip http secure-server
ip nat pool INTERNET [PUBLIC IP] [PUBLIC IP] netmask 255.255.255.248
ip nat inside source route-map NAT pool VPNPool overload
ip nat inside source route-map NONAT pool INTERNET overload

!
logging trap debugging
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 15 permit [PUBLIC IP]
access-list 15 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 164.2.107.56
access-list 101 remark SDM_ACL Category=20
access-list 101 permit ip host 10.240.86.33 host 164.2.107.56
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 10.240.86.33 host 164.2.107.56
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
route-map NONAT permit 10
match ip address 10
!
route-map NAT permit 10
match ip address 100
!

Regards,

Tomas

Correct Answer
Federico Coto F... Sun, 02/14/2010 - 09:23

If you see the traffic getting out to the Internet instead than thorugh the tunnel, then it is because it's not being encrypted.

The traffic to be encrypted is the ACL 101.
If you have this ACL:
access-list VPN permit ip host 10.240.86.33 host 164.2.107.56
Then the traffic should be translated to IP 10.240.86.33 before being encrypted.

Check that your traffic is being translated to that IP with the ''show ip nat translation'' command.

I think that the problem is that the traffic is not being NATed and therefore not being sent through the tunnel.
Check if the problem is with the translation and if you see the translation, then check if the tunnel tries to establish with the command:
''sh cry isa sa''

Federico.

tstevanovic Wed, 02/17/2010 - 11:33

Federico,

I manage to make it work. The problem was my bad understanding of route and access lists.

When I did it in a correct order. Putting the route for NAT translation to subnet first, and than route for internet access all started to work.

Thanks for your help.

Tomas

Actions

This Discussion