site to site ipsec in cisco 2821

Answered Question
Apr 5th, 2010

Hi All,

We have 2821 router both at our main and remote office. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} The main and remote office is connected thrue site to site IPSec VPN using pre-shared authentication. Our ftp, database, remote desktop, and web server are located in our main office.

1. We can access the database, remote desktop, and web(.html and .jsp) server from our remote office using the tunnel to main office without problem.

2. But when remote office tried to access  the main office web server(.php), we cannot fetch or view the site.

3. We cannot access the ftp server locally using the Tunnel. We need to use internet and use port forwarding to access our  main  office ftp server, instead of just using the tunnel.

Thanks for the help in advance.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Try the actual ip address of the outside interface as follows:

ip nat inside source static tcp 10.1.2.100 22 22 route-map ftp-NAT extendable

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
darwin_valdez Tue, 04/06/2010 - 02:20

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

Hi Federico,

This is the config at the both end of the routers.

Remote Router Config

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key xxxxxxxxxx address 111.111.111.1

!
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to Main Office
  set peer 111.111.111.1
  set security-association lifetime seconds 3600
  set transform-set ESP-3DES-SHA9
  match address 103

!
interface GigabitEthernet0/0
  description $ETH-WAN$
  ip address 222.222.222.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
  description $ETH-LAN$
  ip address 10.1.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!

access-list 101 deny   ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Main Router Config

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2

crypto isakmp key
xxxxxxxxxx address 222.222.222.2
!
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to Remote Office
  set peer 222.222.222.2
  set security-association lifetime seconds 3600
  set transform-set ESP-3DES-SHA9
  match address 103
!
!
!
!
interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address 111.111.111.1 255.255.255.252
ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto

crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
  description $ES_LAN$$FW_INSIDE$
  ip address 10.1.2.1 255.255.255.0
ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.2.100 22 interface GigabitEthernet0/0 22
!
access-list 101 deny   ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.2.0 0.0.0.255 any
access-list 103 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Jennifer Halim Tue, 04/06/2010 - 01:16

I assume that the FTP server has static translation configured. If that is the case, please remember to configure route-map at the end of the static translation to deny translation from the ftp server private ip address towards the remote LAN, and allow everything else after the deny statement.

Example:

FTP server ip of 10.1.1.1, translated to 200.1.1.1

access-list 120 deny ip host 10.1.1.1

access-list 120 permit ip host 10.1.1.1 any

route-map ftp-NAT permit 10

     match ip address 120

ip nat inside source static 10.1.1.1 200.1.1.1 route-map ftp-NAT

Hope that helps.

darwin_valdez Tue, 04/06/2010 - 02:42

Hi Halijenn,

I also tried your example and the result is just the same. Please see the error log of the remote office using filezilla ftp client.

Status:    Connecting to 10.1.2.100...
Response:    fzSftp started
Command:    open "[email protected]" 22
Error:    Connection timed out
Error:    Could not connect to server

Jennifer Halim Tue, 04/06/2010 - 02:58

Can you please confirm if you have the following configuration:

ip nat inside source static tcp 10.1.2.100 22 interface GigabitEthernet0/0 22 route-map ftp-NAT

access-list 120 deny ip host 10.1.2.100 10.1.1.0 0.0.0.255
access-list 120 permit ip host 10.1.2.100 any

route-map ftp-NAT permit 10
     match ip address 120

Please also make sure that you delete the original "ip nat inside source static tcp 10.1.2.100 22 interface  GigabitEthernet0/0 22" after configuring the above, and also clear the translation table before you test the connection.

Another thing is you mentioned you were trying to FTP, but you were using port 22, do you mean you were trying to SSH to 10.1.2.100?

darwin_valdez Tue, 04/06/2010 - 03:41

Hi Halijenn,

We were using SFTP port 22 on our ftp. I cannot add "route-map ftp-NAT" at the end of static translation.

ip nat inside source static tcp 10.1.2.100  22 interface gigabitEthernet0/0 2
2 route-map ftp-NAT
  ^
% Invalid input detected at '^' marker.

But i have,

access-list 120 deny ip host 10.1.2.100 10.1.1.0 0.0.0.255
access-list 120 permit ip host 10.1.2.100 any

route-map ftp-NAT permit 10
     match ip address 120

configured in the router.

Correct Answer
Jennifer Halim Tue, 04/06/2010 - 03:53

Try the actual ip address of the outside interface as follows:

ip nat inside source static tcp 10.1.2.100 22 22 route-map ftp-NAT extendable

droeun141 Tue, 04/06/2010 - 09:51

What's the purpose of the extendable option in this setup? I've been digging around the web but still can't seem to wrap my head around it.

Federico Coto F... Tue, 04/06/2010 - 12:53

You know I don't remember right now what the extendable option is supposed to do, but in my experience it just does not make any difference if you have it or not.

Federico.

Actions

This Discussion