cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6677
Views
0
Helpful
17
Replies

Site-To-Site VPN using Cisco 871 on both ends

tom.manliclic
Level 1
Level 1

I would like to setup Site-To-Site VPN using Cisco 871 models on both ends but having a hard time to configure it. Can anyone tell me how to do this or if you know any link that can help me setup as soon as possible?

I can learn this but it is the timing that prohibits me in making it work. The other end is already configured to provide Internet access to all users.

2 Accepted Solutions

Accepted Solutions

Tom,

########################################################################################

Router 1 VPN config:

Internal = 10.0.0.0/24
Public = 196.1.161.65

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 102 in interface (check the outside interface's name) overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.66

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101

interface (check the inside interface's name)
ip nat inside

interface (check the outside interface's name)
ip nat outside
crypto map mymap

########################################################################################


Router 2 VPN config:

Internal = 10.193.12.0/22
Public = 196.1.161.66

access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255

access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any

ip nat inside source list 102 in interface fast4 overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.65

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101

interface vlan1
ip nat inside

interface fast4
ip nat outside
crypto map mymap

########################################################################################


The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.

Federico.

View solution in original post

Tom,

You want to be able to RDP to 10.193.12.17 from the other side?

If the tunnel is not configured yet, then an easy way to do this is to configure a port redirection for port 3389 on the router.

On the 196.1.65.54 Cisco router

ip nat inside source static tcp 10.193.12.17 3389 196.1.65.54 3389

In this way, when you connect via RDP to the router (196.1.65.54), the router will redirect this connection to the internal RDP server (10.193.12.17).

Is this what you're looking for?

Federico.

View solution in original post

17 Replies 17

Hi Tom,

Definitely you can configure a Site-to-Site VPN between two 871s (assuming that both routers are running a crypto image).

You can do it via CLI, but if you have SDM on the routers, its easier (I believe that you can follow the VPN wizard).

Federico.

Thanks the quick response.

Yes I am aware that it can be done and I am up for the challenge but the urgency of the work is what is important now and I don't want to mess up the currently running router used as a gateway in the other end.

I have done it with other brands but this is new to me and a walkthrough will be very beneficial. I am currently trying to understand how the CLI and commands work.

If you will be so kind to guide me through the steps then I will really appreciate it.

Tom,

Router A

access-list 177 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 10

encry aes

hash sha

group 2

crypto isakmp key address x.x.x.x --> public IP of the remote 871

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer x.x.x.x   --> public IP of the remote 871

set transform-set myset

match address 177

interface (internet-facing)

crypto map mymap

Important notes:

The configuration on the other router has to be a mirror of this configuration.

Make sure there's not an ACL 177 already in the configuration.

If you're doing NAT on these routers we need additional commands.

Let me know.

Federico.

I think that is actually I need but to ensure I am not gonna mess anything, can you tell me how to check if it is using NAT?

Thanks again for a very quick response.

Tom,

sh run | i ip nat

Will show you if there's NAT configuration or not.

Are both routers connected to the Internet and with public IP addresses?

Federico.

Yes both routers are connected to the Internet and have separate IP Public addresses.

Here is the result of the NAT check

ip nat outside
ip nat inside
ip nat inside source list 1 interface FastEthernet4 overload

Besides the commands that I sent you, you should add:

access-list 178 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.1.1.0 0.0.0.255 any

no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload

Notes:
I am assuming that the internal LAN on this side is 10.1.1.0/24 and the remote LAN is 192.168.1.0/24
You should change those network statements with the correct addressing sheme.

Also,
I removed your current NAT statement to include an extended ACL to allow to bypass NAT.

The crypto map will be applied to Fast4

If you want, you can send me your current configuration.

Federico.

Sure. Can you tell me how can I grab the current configuration and send it to you?

Sorry was just caught in a big mess that I need to make it work.

The easiest way is to do a ''sh run'' on the CLI and copy/paste the output in a notepad (make sure is the entire output, press the space bar until you get the router prompt again).

Federico.

Here is the configuration of the router... the other router we can do what ever we wanted to it it does not contain anything.

What I wanted to do is have Site-To-Site VPN that will allow both ends to communicate with their assigned IPs.

Allow Router configuration from the Internet because I need to manage it remotely once configured. Those routers will be located to separate islands.

Allow DNS to flow out/forward queries coming from 10.193.12.100

Allow DNS to flow out/forward queries from 10.193.12.101

Allow 10.193.12.198 unlimited access to the Internet

User Access Verification

Password:
Server02#show run
Building configuration...

Current configuration : 4316 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Server02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$NKNq$1KTpsasdfsfdsSERFsfdseSe5.
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2276149109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2276149109
revocation-check none
rsakeypair TP-self-signed-2276149109
!
!
crypto pki certificate chain TP-self-signed-2276149109
certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323736 31343931 3039301E 170D3130 30353132 31323532
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373631
  34393130 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008C19 43A8D740 94252E45 60867050 62F402B6 0F36F802 8053A5FB FB6DB801
  7BBA64E8 1A13F069 5449F6C9 A68F45B9 174A75E8 77051A80 B397491E EF2DECBF
  E60BEDF8 5B600DB0 A88A6C41 61122B5F BAAE3EEE F987B384 D86EE845 95F69A77
  C3B381BD 84EC9A69 4678D6D4 2F805C1D 65D63987 88F15B87 E79E82E1 D0F17619
 
        quit
ip cef
!
!
!
!
no ip domain lookup
ip domain name thecarenage.com
ip name-server 205.214.192.201
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$RJej$kJiDpmp6aslksdjfsdjUHHkhss.
username admin privilege 15 secret 5 $1$wsdfHyus7Hfdlsknd&jjlewU7snfnwG,
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.1.161.102 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.193.12.73 255.255.252.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
network 10.0.0.0
network 196.1.161.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.1.161.97
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended test
permit tcp host 10.193.15.169 host 196.1.161.97
permit ip host 10.193.15.169 host 196.1.161.97
permit tcp host 10.193.12.100 host 196.1.161.97
!
access-list 1 permit 10.193.15.198
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege l
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to us
.

For more information about SDM please follow the instructions in the QUICK STAR

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!

scheduler max-task-time 5000
end

access-list 177 permit ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255  --> change for remote LAN

access-list 178 deny ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.193.12.73 0.0.3.255 any

no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload


crypto isakmp policy 10
encry aes
hash sha
group 2

crypto isakmp key address x.x.x.x --> public IP of the remote 871

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer x.x.x.x   --> public IP of the remote 871
set transform-set myset
match address 177

interface fast4
crypto map mymap

This is for the VPN configuration.

Federico.

Thanks Federico.

Here's what to do specifically.

LAN (10.0.0.0/24) --> Router1 (196.1.161.65)  <------------Internet VPN------------------->Router2(196.1.161.66) <-------- LAN (10.193.12.0/22)

So if you can tell me the configuration of each then I will really appreciate it.

Router1 VPN config

blah

blah

blah

Router2 VPN Config (I'm assuming the previous configuration you sent is for this one? This the router that I don't want to lose any current configuration.)

blah

blah

blah

Thank you for your help and really appreciate the support.

Tom,

########################################################################################

Router 1 VPN config:

Internal = 10.0.0.0/24
Public = 196.1.161.65

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 102 in interface (check the outside interface's name) overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.66

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101

interface (check the inside interface's name)
ip nat inside

interface (check the outside interface's name)
ip nat outside
crypto map mymap

########################################################################################


Router 2 VPN config:

Internal = 10.193.12.0/22
Public = 196.1.161.66

access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255

access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any

ip nat inside source list 102 in interface fast4 overload

crypto isakmp policy 10
encryption 3des
hash sha
group 2

crypto isakmp key cisco123 address 196.1.161.65

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101

interface vlan1
ip nat inside

interface fast4
ip nat outside
crypto map mymap

########################################################################################


The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.

Federico.

Thanks a lot Federico.

I will try to configure tomorrow  and I'm sure it will work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: