Multi Client VPNs with Overlapping Networks

Unanswered Question
May 5th, 2010
User Badges:

I have a need to have several L2L vpns to different clients.  I have built the vpns under a single crypto map, but an issue has come up.


One of my clients requires me to NAT my inside address to my public address as he shares the same LAN subnet as I do.


Another of my clients shares the same subnet and wants me to NAT my internal IP to a specific subnet address within the same network.


How do I accomplish this?  I basically need to NAT my inside 10.10.x.x network for client B to 10.129.x.x.


I assume I will be using NAT ( ip nat inside source static network 10.10.x.x 10.129.x.x /24), but is there anyway to specify this nat statement for only this customer?  I assume any new customers will require similar juggling.


TIA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 05/05/2010 - 10:55
User Badges:
  • Green, 3000 points or more

Todd,


You can assign a route-map to the STATIC NAT to specify the rule to take place only when going to an specific customer


ip nat inside source static network 10.10.x.x 10.129.x.x /24 route-map Customer_1


route-map Customer_1

  match ip address 199

  set ip next-hop x.x.x.x


The above STATIC NAT will only happens when ACL 199 matches the traffic (so you can specify the network to the remote VPN).


Federico.

toddmanger Wed, 05/05/2010 - 11:06
User Badges:

Thank you Federico,


I can do this for each unique situation?  So I could conceivably have many NAT statements as indicated above, each pointing to a different Route-map?


Thanks again.

Federico Coto F... Wed, 05/05/2010 - 11:10
User Badges:
  • Green, 3000 points or more

Yes, and not necessarily a different route map, but a different ACL to properly identify the

traffic.


Federico.

toddmanger Wed, 05/05/2010 - 11:12
User Badges:

I hate to ask, but could I bother you for a short config example?  I am afraid I am a little out of my

league with this.


Thank you

Federico Coto F... Wed, 05/05/2010 - 11:19
User Badges:
  • Green, 3000 points or more

No problem, for example:
Let's say that you have two tunnels with two sites:


Your side:
192.168.1.0/24
Remote side1:
192.168.2.0/24
Remote side2:
192.168.3.0/24


You want to NAT your traffic to 10.1.1.0/24 when going to side1 and to 10.2.2.0/24 when going to side2.


ip access-list extended 198
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended 199
  permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255


route-map Customer_1
  match ip address 198
  set ip next-hop x.x.x.x
route-map Customer_2
  match ip address 199
  set ip next-hop x.x.x.x


ip nat inside source static 192.168.1.0/24 10.1.1.0/24 route-map Customer_1
ip nat inside source static 192.168.1.0/24 10.2.2.0/24 route-map Customer_2


Then, the interesting traffic will be from 10.1.x.0/24 to the remote sites.

Federico.

toddmanger Thu, 05/06/2010 - 08:23
User Badges:

OK,


I have tried to get this configured and I cannot get the tunnel to come up.  I am including a scrubbed config if you wouldnt mind taking a look.


Current configuration : 2993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret xxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
!
!
aaa session-id common
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 XXXXXXXXX address 206.xx.xx.xx
crypto isakmp key XXXXXXXXXX address 12.xx.xx.xx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN1-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.xx.xx.xx
set transform-set VPN1-VPN
match address 100
crypto map VPN 2 ipsec-isakmp
set peer 12.xxx.xx.xx
set transform-set VPN2-VPN
match address 101
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24

interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# DS1IT 14436097
no ip address
ip virtual-reassembly
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx
!
!
ip http server
no ip http secure-server
ip nat inside source route-map VPN1 interface FastEthernet0/1 overload
ip nat inside source static 10.10.xxx.xxx 10.129.40.0 route-map VPN2MAP
!
no logging trap
access-list 100 permit ip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any administratively-prohibited
access-list 101 permit ip any any
!
!
!
!
route-map VPN1 permit 10
match ip address 100
!
route-map VPN2 permit 10
match ip address 101
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
end



Any help is greatly appreciated.

Federico Coto F... Thu, 05/06/2010 - 08:32
User Badges:
  • Green, 3000 points or more

Some questions:


1. Which tunnel is not coming up? I see two (206.xx.xx.xx and 12.xxx.xx.xx)
2. For the first peer, you're sending all IP traffic (ACL 100), in this way no traffic will ever be sent
through the second tunnel.
3. The route-map VPN2MAP does not show in the config.


Federico.

toddmanger Thu, 05/06/2010 - 08:39
User Badges:

The first peer (VPN 1) is up and works.  The second peer (VPN 2) going to the

12 network will not come up.  This is the peer that requires that my 10.10.x.x network be NAT'd to 10.149.20

.x prior to sending.

Federico Coto F... Thu, 05/06/2010 - 08:52
User Badges:
  • Green, 3000 points or more

Todd,


One of the problems is that the ACL for interesting traffic for the first tunnel is sending ''ip any any''

It means that all IP traffic is being sent through the tunnel that is already established.


There's no traffic that's going to be sent through the second tunnel.


What you need to do is:

1. Define only the interesting traffic that should be sent through the first tunnel (only between the appropiate networks)

2. Define the traffic for the second tunnel as well.


Federic0.

toddmanger Thu, 05/06/2010 - 09:03
User Badges:

Thank you for the additional help and please excuse my ignorance.


What should that acl look like?  permit ip MY INSIDE ADDRESS SUBNET to CUSTOMER INSIDE ADDRESS SUBNET or CUSTOMER PEER IP?

Federico Coto F... Thu, 05/06/2010 - 09:08
User Badges:
  • Green, 3000 points or more

The crypto ACL should be a different ACL that the NAT ACL.


The crypto ACL (to define the VPN traffic) should be from your internal LAN to the remote LAN. On the remote end it should be a mirror.


The NAC ACL should define which traffic to NAT or to bypass NAT.


So, if your network is 1.1.1.0/24 and the remote network is 2.2.2.0/24

The crypto ACL should be:


access-list 170 permti ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255


And the NAT ACL should be:


access-list 160 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

(In case you want the traffic through the tunnel to bypass NAT)


If you want to NAT the traffic, then the NAT ACL should be defined as permit (and the interesting traffic will not be sourced from the real internal LAN, but from the NATed IPs)


Federico.

toddmanger Thu, 05/06/2010 - 09:57
User Badges:

Does this look a little better?


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 [email protected] address 206.17.98.20
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MEDSOLUTIONS-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address HEDI-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS-VPN
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.10.28 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.210.58.197 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex full
speed 100
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip route 12.195.64.10 255.255.255.255 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat inside source route-map HEDI interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.0 10.129.40.0 route-map MEDSOLUTIONS
!
ip access-list extended HEDI-CRYPTO-ACL
permit ip 173.210.58.0 0.0.0.255 206.17.98.0 0.0.0.255
ip access-list extended HEDI-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 10.100.0.0 0.0.255.255
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 12.195.64.0 0.0.0.255
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.129.40.0 0.0.0.255 10.10.131.0 0.0.0.255
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map HEDI permit 10
match ip address HEDI-CRYPTO-ACL
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
control-plane
end

Federico Coto F... Thu, 05/06/2010 - 10:27
User Badges:
  • Green, 3000 points or more

Exactly, it looks a lot better.

Are you able to establish both tunnels?


Federico.

toddmanger Thu, 05/06/2010 - 10:39
User Badges:

I have not yet established the tunnels because the first peer is operational in production right now and being used, so I

wanted to make sure that i had the config completely correct before loading it.


Does everything else look ok to you?


Basically, Peer 1 (VPN 1) needs my internal address nat'd to my public address prior to being encrypted, and currently it is working the way it is setup.  Of course, the permit ip any any guarantees that, but also exludes getting the second tunnel properly setup.


Peer 2 (VPN 2) needs to have my internal address nat'd to 10.139.40.0 prior to being encrypted and sent to his network.  The only host in his network that i need to talk to is 10.10.131.63.


Thanks again for all your help.


Todd

toddmanger Thu, 05/06/2010 - 10:53
User Badges:

OK, i took a chance and no joy on either tunnel.


I could not ping either host and the tunnels would not come up.

toddmanger Thu, 05/06/2010 - 11:44
User Badges:

OK.  Below is the current config.  After loading this, I could not ping either VPN from router or dekstop. Both return Destination net unreachable.  Thoughts?



!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 [email protected] address 206.17.98.20
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MEDSOLUTIONS-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address HEDI-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS-VPN
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.210.58.197 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map HEDI interface FastEthernet0/1 overload
ip nat inside source route-map MEDSOLUTIONS-NAT-ACL pool MEDSOLUTIONS
!
ip access-list extended HEDI-CRYPTO-ACL
permit ip any 206.17.98.0 0.0.0.255
ip access-list extended HEDI-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 10.100.0.0 0.0.255.255
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 12.195.64.0 0.0.0.255
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map HEDI permit 10
match ip address HEDI-NAT-ACL
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Federico Coto F... Thu, 05/06/2010 - 10:55
User Badges:
  • Green, 3000 points or more

Basically, Peer 1 (VPN 1) needs my internal address nat'd to my public address prior to being encrypted,
and currently it is working the way it is setup.  Of course, the permit ip any any guarantees that,
but also exludes getting the second tunnel properly setup.


So, for VPN1:


ip access-list extended NAT_VPN_1
  permit ip 10.10.10.0 0.0.0.255 REMOTE_LAN


route-map VPN_1
  match ip address NAT_VPN_1
  set ip next-hop x.x.x.x


ip nat inside source route-map VPN_1 interface FastEthernet0/1 overload


access-list crypto1 permit ip host OUTSIDE_IP REMOTE_LAN


The above configuration, will NAT the traffic from 10.10.10.0/24 to the outside public IP of the router ONLY when going to the REMOTE_LAN



Peer 2 (VPN 2) needs to have my internal address nat'd to 10.139.40.0 prior to being encrypted
and sent to his network.  The only host in his network that i need to talk to is 10.10.131.63.



ip access-list extended NAT_VPN_2
  permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63


route-map VPN_2
  match ip address NAT_VPN_2
  set ip next-hop x.x.x.x


ip nat pool newpool 10.139.40.1 10.139.40.254 netmask 255.255.255.0
ip nat inside source route-map VPN_2 pool newpool


access-list crypto2 permit ip host 10.139.40.0 0.0.0.255 REMOTE_LAN


The above configuration will NAT the 10.10.10.0/24 to 10.139.40.0/24 when going to 10.10.131.63


Please check the configuration to see if it meets what you need.


Federico.

toddmanger Fri, 05/07/2010 - 11:59
User Badges:

Hi again,


I am having no luck with this...should be easy.  Here is the config, but the tunnel never comes up.  A fresh pair of eyes is greatly appreciated. 



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10

crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Federico Coto F... Fri, 05/07/2010 - 12:19
User Badges:
  • Green, 3000 points or more

Based on your last post...


We're trying the tunnel to 12.195.64.10

The first thing that should happen is that when the internal LAN 10.10.10.0/24 send
traffic to the remote LAN, it should be NATed to 10.129.40.0/24


ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL

ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS


Change the pool because it cannot start with IP 10.129.40.0 (that's the network address,
should start with 10.129.40.1)


Then, the crypto ACL:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10


The crypto ACL should define the interesting traffic.
The destination should not be the other peer's public IP.
The destination should be the other end's internal LAN (network on the inside side of the
router)


Federico.

toddmanger Fri, 05/07/2010 - 12:29
User Badges:

Thank you and great catch......made the changes and still no joy.

Federico Coto F... Fri, 05/07/2010 - 12:43
User Badges:
  • Green, 3000 points or more

Time to follow the path of the packet to see where is the failure...


Send packets from the machine on 10.10.10.x to the remote LAN.
The packets should get NATed - check this ''sh ip nat trans'' and look for the source IP 10.10.10.x
If you see the translation getting build, then you should see the packet getting encrypted ''sh cry ips sa''


From this, let's determine if the problem is with NAT or with encryption.


Federico.

toddmanger Fri, 05/07/2010 - 12:49
User Badges:

It looks like translations are correct, but the tunnel still does not come up.  I even replaced all the ACL to a permit any any (as this is now the only VPN on the this router)



RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 10.129.40.2:500    173.210.58.198:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

toddmanger Fri, 05/07/2010 - 12:53
User Badges:

Here is my current config:



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tmanger privilege 15 secret 5 $1$9DgB$JABFxEuNr0GzK71L.DNJ9.
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10 no-xauth
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address 101
!
!
!
!
interface Loopback0
ip address 10.129.40.2 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip route 10.10.131.0 255.255.255.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat inside source route-map MEDSOLUTIONS interface Loopback0 overload
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
access-list 101 permit ip any any
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
!
end

Federico Coto F... Fri, 05/07/2010 - 12:56
User Badges:
  • Green, 3000 points or more

We still have the crypto ACL incorrect.


ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10

Instead of 12.195.64.10 (which is the public IP of the VPN peer), you need to define the REMOTE_LAN


What I mean with REMOTE_LAN is the internal subnet that you want to be able to access through the tunnel.

And please post the translation ''sh ip nat trans'' when sending a packet from 10.10.10.x to an IP belonging to the REMOTE_LAN


The translation that you attached is an ISAKMP connection.


Federico.

toddmanger Fri, 05/07/2010 - 13:05
User Badges:

if you look at the config, although I left the definitions for MED* there, I basically changed it all to access list 101.


For the nat translations, i ping'd the inside far network (10.10.131.63) from 10.10.10.40 and then on the router did a sh ip nat trans, and that was the output

toddmanger Fri, 05/07/2010 - 13:09
User Badges:

Here is the output after pinging from 10.10.10.x to 10.10.131.63.....see the first line



RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.129.40.2:1     10.10.10.68:1      10.10.131.63:1     10.10.131.63:1
udp 10.129.40.2:500    173.210.58.197:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

Federico Coto F... Fri, 05/07/2010 - 13:19
User Badges:
  • Green, 3000 points or more

Ok,
The 10.10.10.68 is being NATed to 10.129.40.2 when going to 10.10.131.63
This what you want correct?


Don't use a permit ip any any as an ACL to NAT (just define the local subnet instead of any)


The crypto ACL I still see it wrong, this is the line I'm referring to:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
You see what I'm saying?


Also,why 173.210.58.197 is being NATed to 10.249.40.2 when going to 12.195.64.10?
Who is 173.210.58.197? This is ISAKMP traffic being NATed to the remote peer.
The tunnel should be established between 173.210.58.198 and 12.195.64.10


Please post your current NAT and crypto ACLs.


Federico.

toddmanger Fri, 05/07/2010 - 13:26
User Badges:

I altered what you indicated and went away from any any:


Here are the current crypto and nat acls:


ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63


Your first statement is correct:  That is what I want.


I changed the crypto acl to the corrected info.  Does my NAT acl (above) look correct?


173.210.58.198 is my outside public interface.

Federico Coto F... Fri, 05/07/2010 - 13:33
User Badges:
  • Green, 3000 points or more

Looks a lot better now ;-)

Now, we know the translation is taking place correctly.

After that, the encryption should kick in...

Please post now the ''sh cry ips sa''


Federico.

toddmanger Fri, 05/07/2010 - 13:38
User Badges:

ok....there is one additional problem.  I do not know that the other peer has been correctly setup.  I gave him 173.210.58.197 as my peer because initially, all my L2L vpns were going to be on one router.  To test this one and limit breaking down the other tunnels, I used another router to test (173.210.58.198).


If we can verify that this looks the way it should, I can load it onto the production router and test.  I can also change this routers public ip to .197 for a quick test.


interface: FastEthernet0/1
    Crypto map tag: VPN, local addr 173.210.58.198

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.129.40.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.131.63/255.255.255.255/0/0)
   current_peer 12.195.64.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 173.210.58.198, remote crypto endpt.: 12.195.64.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
RH2811C#

Federico Coto F... Fri, 05/07/2010 - 13:41
User Badges:
  • Green, 3000 points or more

Correct,


The peer should not point to 173.210.58.197 but to 173.210.58.198 (or change the IP)

The ACLs look fine now, let us know if you can test the connection.


Federico.

toddmanger Fri, 05/07/2010 - 13:45
User Badges:

ok...i changed this routers ip address to .197 (what the peer should be configured for) and ran a

ping from 10.10.10.68 and then did a sh cryp ips sa and got this:  Doesnt look like the tunnel is coming up:


RH2811C#sh crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: VPN, local addr 173.210.58.197

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.129.40.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.131.63/255.255.255.255/0/0)
   current_peer 12.195.64.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 173.210.58.197, remote crypto endpt.: 12.195.64.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
RH2811C#

Federico Coto F... Fri, 05/07/2010 - 14:03
User Badges:
  • Green, 3000 points or more

It seems that everything is fine up to the point where the traffic should get encrypted.
The Security Association for phase 2 shows the correct traffic between 10.129.40.0/24 and 10.10.131.63/32
The problem is that the same thing we saw when the router's IP was .198
You're sure the remote end is pointing to the .197 IP?

Could you try to bring the tunnel down on both sides and try to re-establish it?


Federico.

toddmanger Fri, 05/07/2010 - 14:07
User Badges:

No, I am not sure that the end point is configured correctly as I have not been able to reach their network admin (

to add more frustration to this).  But I will be verifying with him on Monday, and I will let you know.


Thank you so much for all of your help with this.  Now that I see the finished config, i cant believe I was missing it.....once we get this up and running, let me know where I can send a bottle of (insert favorite beverage here) to thank you properly.


Todd

Federico Coto F... Fri, 05/07/2010 - 14:09
User Badges:
  • Green, 3000 points or more

Thank you Todd ;-)

Let me know when you check with the other side so we can test the tunnel.


Federico.

toddmanger Mon, 05/10/2010 - 09:45
User Badges:

Good morning.


UPDATE:


I have the tunnel established, but I am not able to connect to the host inside my clients network.  Thoughts on what I should be looking for?

Federico Coto F... Mon, 05/10/2010 - 13:01
User Badges:
  • Green, 3000 points or more

Todd,


If the VPN is establishing correctly, check the following:

Output of the command ''sh cry ips sa''

  

Make sure you have packets encrypted/decrypted for the networks on both sides of the tunnel.

For example, the output should show both packets encrypted and decrypted.

If you only see encrypted it means your side is sending packets but not receiving and if you see only decrypted is the other way around.


From there we can see where the problem is.


Federico.

toddmanger Mon, 05/10/2010 - 13:17
User Badges:

Federico,


Thank you for the help.  I did get it working.  Config posted below.  Notice the route statements.



crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address MEDSOL-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description INSIDE LAN INTERFACE
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 10.10.131.63 255.255.255.255 12.195.64.10
ip route 12.195.64.10 255.255.255.255 173.210.58.193
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat pool MEDSOL 10.129.40.1 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOL
!
ip access-list extended MEDSOL-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended MEDSOL-NAT-ACL
deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOL-NAT-ACL
!

Federico Coto F... Mon, 05/10/2010 - 13:48
User Badges:
  • Green, 3000 points or more

Todd,


Is it working fine now?

In theory you don't need this route:


ip route 10.10.131.63 255.255.255.255 12.195.64.10


You would need this:


ip route 10.10.131.63 255.255.255.255 173.210.58.193
ip route 12.195.64.10 255.255.255.255 173.210.58.193


But anyway, is it working now?


Federico.

toddmanger Mon, 05/10/2010 - 13:52
User Badges:

Federico,


It is working now.  I know I shouldnt need that route, but removing either of them drops the tunnel.  I thought it may be because the 12.x.x.x. peer is not a public IP address, but I will try routing both to my public as you intimated.


Thanks


Todd

Federico Coto F... Mon, 05/10/2010 - 13:56
User Badges:
  • Green, 3000 points or more

Todd,


I'm not suggesting you to do it  ;-)

But if you delete this route:


ip route 10.10.131.63 255.255.255.255 12.195.64.10


Everything should continue working because traffic to 10.10.131.63 will fall into the default gateway and worked.

In theory the above route it is not doing anything, because you don't have a next-hop of 12.195.64.10, is just the VPN peer address.


Anyway, glad that it is working ;-)


Federico.

Actions

This Discussion

Related Content