IPSec VPN between two LANs

Unanswered Question
Sep 23rd, 2010

Hello,

I have got Cisco ASA 5540 at Headqurters and Cisco 857 ADSL router at Branch Office with internet up.  I have created a site to site vpn workplace ASA and branch router and its wokring fine.

Please see the attached snap (scenario 1) for referral.

Presently I have assigned Public IPs to Remote Lan PC( Branch Office). Now I am planning to give them private range (lets say 192.168.4.0/24).

It will be just like lan to lan vpn.

What I had ito add in my configuration on ASA and Router to make this possible.I am not pretty good in VPN connectivity. So I need experts help and advice.

If something not clear please let me know.

Thanking in Advance.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Samir Shaikh Thu, 09/23/2010 - 10:33

hi prapanch,

Thanks for quick response

Firstly,please ignore my previous attachment because it has got some ip mistakes.

here is my router config

Current configuration : 3748 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Hospital

!

boot-start-marker

boot system flash c850-advsecurityk9-mz.124-15.T14.bin

boot-end-marker

!

no logging buffered

no logging console

enable secret 5 $1$I7fD$hFcavQfsBAttAU3kdsCyo0

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-514007288

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-514007288

revocation-check none

rsakeypair TP-self-signed-514007288

!

!

crypto pki certificate chain TP-self-signed-514007288

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 35313430 30373238 38301E17 0D303230 35313430 35303431

  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34303037

  32383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  A2EABB56 14D234BE 7889BC4D A55C7A99 0461AB52 AEEB74F9 4240866D CFE99361

  093C1C41 5225FD37 41266629 C9758902 F7A17B16 0982CA9A B9FA3AAF 40A0C258

  A55E8EEC 183249CF 3E0A4F1A E6C044D5 25735261 5D38C06A 421411A2 4FCD8644

  D834C59F A57E9391 A09D8AAB 57C18AEA 804FCB47 0EC6F632 5E0647A6 4C82EA29

  02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D

  11040D30 0B820944 722E4661 6B656568 301F0603 551D2304 18301680 1443A6AE

  ABA34B03 84DE5AA5 AA18D747 5899D8BA 3F301D06 03551D0E 04160414 43A6AEAB

  A34B0384 DE5AA5AA 18D74758 99D8BA3F 300D0609 2A864886 F70D0101 04050003

  8181002F A141EFFE E7E015D4 1BC5D116 EEF1F6FA 2956E23E FE4A8A0D FF3293D9

  3E9E9C09 8ABBD4BD 08947278 8276FB24 4D42E45F 877029F1 CEC1423E E38CDBA6

  08855E81 41D6281B 3DE69A80 913DC48F DCB05F81 151F4BB2 3F69DD5C 49F7BDF2

  0E7E2A02 C10A9906 BF3E2AA3 61D967A2 7A1C4377 9B598D48 4CA26916 FC9D251C 8CE796

        quit

dot11 syslog

!

!

ip cef

ip name-server 212.93.x.x

ip name-server 212.93.x.x

!

!

!

username admin privilege 15 password 7 070C2E414B4D0D041C170218

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 11.11.11.14

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 3600

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to11.11.11.14

set peer 11.11.11.14

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

  pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 78.32.95.174 255.255.255.248

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ppp chap password 7 XXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXX

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 78.32.94.172 0.0.0.7 192.168.1.0 0.0.0.255

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password 7 1306181F0E48102B20212127

login local

!

scheduler max-task-time 5000

end

......................................................................

ASA config

access-list Outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 78.32.94.172 255.255.255.248

access-list inside_nat0_outbound line 6 extended permit ip 192.168.1.0 255.255.255.0 78.32.94.172 255.255.255.248

tunnel-group 65.34.132.167 type ipsec-l2l

tunnel-group 65.34.132.167 ipsec-attributes

   pre-shared-key **********

   isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set  peer  65.34.132.167 ( Dynamic IP from ISP)

crypto map Outside_map 1 set  transform-set  ESP-3DES-SHA

Diego Armando C... Thu, 09/23/2010 - 14:18

In your router you have

access-list 100 permit ip 78.32.94.172 0.0.0.7 192.168.1.0 0.0.0.255

change it for

access-list 100 permit ip (new network) 192.168.1.0 0.0.0.255

In the ASA

ASA config

access-list Outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 (new network)

access-list inside_nat0_outbound line 6 extended permit ip 192.168.1.0 255.255.255.0 (new network)

I suppose that you are going to be using NAT for the rest of the traffic right? Then you will need to do a NO-NAT int the router as well. Do the nat exception  with a route-map.

Diego Armando C... Thu, 09/23/2010 - 14:22

Check the link that Naryanan added. The router is doing a nat exception with the help of a route-map

Samir Shaikh Fri, 09/24/2010 - 04:38

Thank you experts for your help and great information.

I will notify if there is any issue faced.

One more i had to point out here is that Do I have to add any route on the ASA.

Samir Shaikh Fri, 09/24/2010 - 05:34

Hi Experts,

I have a defualt router on the router

ip router 0.0.0.0 0.0.0.0 Dialer 1

So do i had to configure any route for this case.

Jennifer Halim Fri, 09/24/2010 - 05:37

No, you do not need any extra route on the router. The default route on the router will suffice.

Hope that helps.

Samir Shaikh Fri, 09/24/2010 - 06:00

So I dont have to put any route on the router pointing to ASA outside

interface.

Please clarify,

Thank

Jennifer Halim Fri, 09/24/2010 - 06:05

Yes, you are absolutely right. There is no need for any other extra routes on the router.

Samir Shaikh Fri, 09/24/2010 - 11:50

Hi All,

Here, one question arises in my mind

Well the PC's ( local network) behind the ASA will be able to access Remote Network (behind branch office router) ?

Samir Shaikh Mon, 09/27/2010 - 03:38

Hello Experts

Please see the attached configuration of Site to Site VPN between Router and ASA.

But I cannot ping and reach the internal network behind the ASA from Branch Office and vice versa

VPN tunnel is established (fyi)

Please experts can you help whats wrong in the config.

Jennifer Halim Mon, 09/27/2010 - 03:59

The router configuration is incorrect.

ACL 100 which is the crypto ACL needs to mirror image the ASA Outside_1_cryptomap ACL.

Router ACL 100 should say:

access-list 100 permit permit 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255


Router ACL 101 for the NAT statement should say:

access-list 101 deny ip 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

Hope that helps.

Samir Shaikh Sat, 10/02/2010 - 08:27

Hi Jennifer,

Sorry for delay in responding back.I did as you said but still i cannot ping the branch pc (192.168.5.2) from my pc (10.1.2.45)

Modified Router config (fyi)

interface Vlan1
ip address 192.168.5.1 255.255.255.0
ip nat inside

!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside

access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101

Please can you advice.

Jennifer Halim Sat, 10/02/2010 - 18:38

A few things to check:

1) Is the VPN tunnel up? can you please share the output of "show cry isa sa" and "show cry ipsec sa"

2) Can you check if the branch PC has any personal firewall that normally could block incoming connections.

Samir Shaikh Sun, 10/03/2010 - 12:38

hi jennifer,

yes,vpn tunnel is up

i have check personl firewall on the pc's but nothing happened.

Jennifer Halim Sun, 10/03/2010 - 17:35

Can you please share the output of the following after you try to access it:

show cry isa sa

show cry ipsec sa

BTW, can you ping 192.168.5.1?

Actions

This Discussion