Site-To-Site VPN using Cisco 871 on both ends

Answered Question

I would like to setup Site-To-Site VPN using Cisco 871 models on both ends but having a hard time to configure it. Can anyone tell me how to do this or if you know any link that can help me setup as soon as possible?

I can learn this but it is the timing that prohibits me in making it work. The other end is already configured to provide Internet access to all users.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Tom,

You want to be able to RDP to 10.193.12.17 from the other side?

If the tunnel is not configured yet, then an easy way to do this is to configure a port redirection for port 3389 on the router.

On the 196.1.65.54 Cisco router

ip nat inside source static tcp 10.193.12.17 3389 196.1.65.54 3389

In this way, when you connect via RDP to the router (196.1.65.54), the router will redirect this connection to the internal RDP server (10.193.12.17).

Is this what you're looking for?

Federico.

Correct Answer by Federico Coto F... about 6 years 6 months ago

Tom,

########################################################################################

Router 1 VPN config:

Internal = 10.0.0.0/24
Public = 196.1.161.65

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 102 in interface (check the outside interface's name) overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.66

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101

interface (check the inside interface's name)
ip nat inside

interface (check the outside interface's name)
ip nat outside
crypto map mymap

########################################################################################


Router 2 VPN config:

Internal = 10.193.12.0/22
Public = 196.1.161.66

access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255

access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any

ip nat inside source list 102 in interface fast4 overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.65

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101

interface vlan1
ip nat inside

interface fast4
ip nat outside
crypto map mymap

########################################################################################


The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Mon, 05/31/2010 - 13:35

Hi Tom,

Definitely you can configure a Site-to-Site VPN between two 871s (assuming that both routers are running a crypto image).

You can do it via CLI, but if you have SDM on the routers, its easier (I believe that you can follow the VPN wizard).

Federico.

Thanks the quick response.

Yes I am aware that it can be done and I am up for the challenge but the urgency of the work is what is important now and I don't want to mess up the currently running router used as a gateway in the other end.

I have done it with other brands but this is new to me and a walkthrough will be very beneficial. I am currently trying to understand how the CLI and commands work.

If you will be so kind to guide me through the steps then I will really appreciate it.

Federico Coto F... Mon, 05/31/2010 - 13:58

Tom,

Router A

access-list 177 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 10

encry aes

hash sha

group 2

crypto isakmp key address x.x.x.x --> public IP of the remote 871

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer x.x.x.x   --> public IP of the remote 871

set transform-set myset

match address 177

interface (internet-facing)

crypto map mymap

Important notes:

The configuration on the other router has to be a mirror of this configuration.

Make sure there's not an ACL 177 already in the configuration.

If you're doing NAT on these routers we need additional commands.

Let me know.

Federico.

Federico Coto F... Mon, 05/31/2010 - 14:05

Tom,

sh run | i ip nat

Will show you if there's NAT configuration or not.

Are both routers connected to the Internet and with public IP addresses?

Federico.

Federico Coto F... Mon, 05/31/2010 - 14:21

Besides the commands that I sent you, you should add:

access-list 178 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.1.1.0 0.0.0.255 any

no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload

Notes:
I am assuming that the internal LAN on this side is 10.1.1.0/24 and the remote LAN is 192.168.1.0/24
You should change those network statements with the correct addressing sheme.

Also,
I removed your current NAT statement to include an extended ACL to allow to bypass NAT.

The crypto map will be applied to Fast4

If you want, you can send me your current configuration.

Federico.

Federico Coto F... Mon, 05/31/2010 - 14:34

The easiest way is to do a ''sh run'' on the CLI and copy/paste the output in a notepad (make sure is the entire output, press the space bar until you get the router prompt again).

Federico.

Here is the configuration of the router... the other router we can do what ever we wanted to it it does not contain anything.

What I wanted to do is have Site-To-Site VPN that will allow both ends to communicate with their assigned IPs.

Allow Router configuration from the Internet because I need to manage it remotely once configured. Those routers will be located to separate islands.

Allow DNS to flow out/forward queries coming from 10.193.12.100

Allow DNS to flow out/forward queries from 10.193.12.101

Allow 10.193.12.198 unlimited access to the Internet

User Access Verification

Password:
Server02#show run
Building configuration...

Current configuration : 4316 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Server02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$NKNq$1KTpsasdfsfdsSERFsfdseSe5.
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2276149109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2276149109
revocation-check none
rsakeypair TP-self-signed-2276149109
!
!
crypto pki certificate chain TP-self-signed-2276149109
certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323736 31343931 3039301E 170D3130 30353132 31323532
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373631
  34393130 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008C19 43A8D740 94252E45 60867050 62F402B6 0F36F802 8053A5FB FB6DB801
  7BBA64E8 1A13F069 5449F6C9 A68F45B9 174A75E8 77051A80 B397491E EF2DECBF
  E60BEDF8 5B600DB0 A88A6C41 61122B5F BAAE3EEE F987B384 D86EE845 95F69A77
  C3B381BD 84EC9A69 4678D6D4 2F805C1D 65D63987 88F15B87 E79E82E1 D0F17619
 
        quit
ip cef
!
!
!
!
no ip domain lookup
ip domain name thecarenage.com
ip name-server 205.214.192.201
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$RJej$kJiDpmp6aslksdjfsdjUHHkhss.
username admin privilege 15 secret 5 $1$wsdfHyus7Hfdlsknd&jjlewU7snfnwG,
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.1.161.102 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.193.12.73 255.255.252.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
network 10.0.0.0
network 196.1.161.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.1.161.97
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended test
permit tcp host 10.193.15.169 host 196.1.161.97
permit ip host 10.193.15.169 host 196.1.161.97
permit tcp host 10.193.12.100 host 196.1.161.97
!
access-list 1 permit 10.193.15.198
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege l
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to us
.

For more information about SDM please follow the instructions in the QUICK STAR

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!

scheduler max-task-time 5000
end

Federico Coto F... Mon, 05/31/2010 - 15:09

access-list 177 permit ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255  --> change for remote LAN

access-list 178 deny ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.193.12.73 0.0.3.255 any

no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload


crypto isakmp policy 10
encry aes
hash sha
group 2

crypto isakmp key address x.x.x.x --> public IP of the remote 871

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer x.x.x.x   --> public IP of the remote 871
set transform-set myset
match address 177

interface fast4
crypto map mymap

This is for the VPN configuration.

Federico.

Thanks Federico.

Here's what to do specifically.

LAN (10.0.0.0/24) --> Router1 (196.1.161.65)  <------------Internet VPN------------------->Router2(196.1.161.66) <-------- LAN (10.193.12.0/22)

So if you can tell me the configuration of each then I will really appreciate it.

Router1 VPN config

blah

blah

blah

Router2 VPN Config (I'm assuming the previous configuration you sent is for this one? This the router that I don't want to lose any current configuration.)

blah

blah

blah

Thank you for your help and really appreciate the support.

Correct Answer
Federico Coto F... Mon, 05/31/2010 - 19:38

Tom,

########################################################################################

Router 1 VPN config:

Internal = 10.0.0.0/24
Public = 196.1.161.65

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 102 in interface (check the outside interface's name) overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.66

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101

interface (check the inside interface's name)
ip nat inside

interface (check the outside interface's name)
ip nat outside
crypto map mymap

########################################################################################


Router 2 VPN config:

Internal = 10.193.12.0/22
Public = 196.1.161.66

access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255

access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any

ip nat inside source list 102 in interface fast4 overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.65

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101

interface vlan1
ip nat inside

interface fast4
ip nat outside
crypto map mymap

########################################################################################


The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.

Federico.

Hi Federico,

I was having a hard time configuring the devices and testing them. If I could just have allowed to RDP to the remote server like below then I will get result much faster.

Can you help me again?

RDP to office network 196.1.65.54 ( cisco router) ---> (tunnel) 10.193.12.17(RDP Server)

Please give me the whole commands to do it.

Correct Answer
Federico Coto F... Wed, 06/02/2010 - 11:07

Tom,

You want to be able to RDP to 10.193.12.17 from the other side?

If the tunnel is not configured yet, then an easy way to do this is to configure a port redirection for port 3389 on the router.

On the 196.1.65.54 Cisco router

ip nat inside source static tcp 10.193.12.17 3389 196.1.65.54 3389

In this way, when you connect via RDP to the router (196.1.65.54), the router will redirect this connection to the internal RDP server (10.193.12.17).

Is this what you're looking for?

Federico.

Ok ,

I have a VPN, NAT configured now I added some ACL and I'm not getting the DHCP to assign IP addresses in the remote client side. I'm sure I'm missing something so tried removing remotein ACL and it works.  I would like to implement it with the restrictions in remotein ACL.

Can anyone provide a simple example on how to do it?

Here is my config

R1#sh run

Building configuration...

Current configuration : 5463 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 secret

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1597452845

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1597452845

revocation-check none

rsakeypair TP-self-signed-1597452845

!

!

crypto pki certificate chain TP-self-signed-1597452845

certificate self-signed 01

  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31353937 30353330 3436301E 170D3130 30353038 30333533

  32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

        quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 10.10.10.1 10.10.10.2

!

ip dhcp pool sdm-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   dns-server 205.214.192.201 205.214.192.201

   domain-name 208.67.222.222

   netbios-name-server 10.193.12.100

!

!

ip cef

ip domain name yourdomain.com

ip name-server 1.1.1.1

ip name-server 2.2.2.2

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username admin privilege 15 secret 5 secret

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key shared-secret address 200.200.200.1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 200.200.200.1

set peer 200.200.200.1

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-WAN$

ip address dhcp client-id FastEthernet4

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip access-group remotein in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map SDM_RMAP_3 interface FastEthernet4 overload

!

ip access-list extended remotein

permit udp any host 10.10.10.1 eq bootps bootpc

permit ip host 10.10.10.2 any

permit ip 10.10.10.0 0.0.0.7 10.193.12.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.7 host 10.10.10.1

permit ip 10.10.10.0 0.0.0.7 host 10.193.15.198

deny   ip any any

!

access-list 100 permit ip 10.10.10.0 0.0.0.7 10.193.12.0 0.0.3.255

access-list 101 remark SDM_ACL Category=2

access-list 101 deny   ip 10.10.10.0 0.0.0.7 10.193.12.0 0.0.3.255

access-list 101 permit ip 10.10.10.0 0.0.0.7 any

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_3 permit 1

match ip address 101

!

!

control-plane

!

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a privilege le

vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want to use

.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

Actions

This Discussion

Related Content