05-06-2010 11:58 PM
I've read the Cisco document - 'Router and VPN configuration for Public Internet on a Stick COnfiguration Example' and I've got a couple of questions.
Below is my config that I've built using the above example.... I know the VPN side of it works as i've butched my exisiting configuration.
My problem comes in understanding what IP address to give the Loopback interface, and do I need to give it a static nat translation like my other entries ??
My internal network is in the range 192.168.0.1 - 192.168.0.8
The VPN gives out the ip pool 192.168.1.1 - 192.168.1.19
What should the Looback interface be (i've currently got this as 192.168.2.1 ???)
If someone could take a quick look at the below and see if I've got any errors, that would be great (if I do need to include a static nat translation for the Loopback interface, would it simply be......ip nat inside source static 192.168.2.1 78.105.111.102
Thanks
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2651xm
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8K/M$mPKgykdzMNoav0TuHJFrG0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip domain name casezero.net
ip name-server 78.105.111.96
ip name-server 87.194.255.154
!
multilink bundle-name authenticated
!
!
!
username XXX privilege 15 password 0 XXX
!
vlan internal allocation policy ascending
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ezvpn
key XXX
pool SDM_POOL_1
max-users 5
max-logins 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual reassembly
!
interface FastEthernet0/0
description Interface$ETH-WAN$
ip address 78.105.111.95 255.255.248.0
ip nat outside
ip policy route-map VPN-Client
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description Interface$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.19
ip default-gateway 78.105.104.1
ip route 0.0.0.0 0.0.0.0 78.105.104.1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static 192.168.0.2 78.105.111.96
ip nat inside source static 192.168.0.3 78.105.111.97
ip nat inside source static 192.168.0.4 78.105.111.98
ip nat inside source static 192.168.0.5 78.105.111.99
ip nat inside source static 192.168.0.6 78.105.111.100
ip nat inside source static 192.168.0.7 78.105.111.101
ip nat inside source static 192.168.0.8 78.105.111.102
!
access-list 101 permit ip any any
!
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
!
route-map VPN-Client permit 10
match ip address 144
set interface Loopback0
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
!
end
05-07-2010 12:07 AM
Loopback interface ip address is already correctly been configured. It needs to be unique.
Minor changes to be done on the route-map:
- Currently you have "set interface Loopback0"
- You would need to change it to "set ip next-hop 192.168.2.2"
And, no, you don't need to configure any other static translation, because you already have ACL 101 for the translation that basically covers the ip pool subnet to be NATed.
However, you might want to configure NAT exemption so your vpn client can access the internal network.
ACL 101 should be changed to as follows:
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Hope that helps.
05-07-2010 12:16 AM
Thank you for the quick response -
When you say....
'set ip next-hop 192.168.2.2' - where is this going as I've got nothing that has this ip address ??
my internal network in 192.168.0.1 -
my vpn network is 192.168.1.0 -
my Loopback interface has 192.168.2.1 but nothing has the address 192.168.2.2 ??? so where would the traffic be hopping to ?
05-07-2010 12:24 AM
Yup, it's just a virtual ip in the same subnet as your loopback interface, basically to make the traffic route through the loopback interface because the interface has "ip nat inside", and then it will be routed towards the external interface that has "ip nat outside" so it can be NATed.
For NAT to happen, it needs to go through an interface with "ip nat inside" then "ip nat outside". If we don't route it through the loopback interface, theh outside interface is just "ip nat outside", so NATing for the vpn client will not work.
05-07-2010 12:28 AM
OK, thanks. One final question.
If im not translating the loopback ip through a static NAT translation, then what external ip address will the outside world see ?
05-07-2010 02:09 AM
The VPN IP Pool subnet will be PATed to your router FastEthernet0/0 interface ip address (78.105.111.95) when they are accessing the Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide