cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5053
Views
0
Helpful
30
Replies

site to site tunnel between to WAN locations

JATINDER KUMAR
Level 1
Level 1

Dear friends.. i have couple of doubts regarding the VPN connectivity .. between my site and other WAN site ...

can some one please look at below and clear my doubts ..

1. i am given with a public IP from remote site which will be my peer address...

2. on My router i dont have any puclic IP .. i have a machine inside my network which is on private IP and i am natting this private IP onto public IP from router.

3. do i need a public IP on router also ... ?if es then .. shld i go for a loopback address ...? but then how to protect my router from attachks if i put this on public IP... i have a default route on my router which points to ISP router.

4. i am using CCP to configure the same ... and error i am getting is tunnel down and routing error also ..

5. what ACL i need to create ... i just need to allow RDP .. secondly the protected network will be my inside and his inside only .. correct me if i am wrong ..

Thanks for the time and help ..

SRC Ciscoo 1800 == WAN ==> DSTN Router ==> CHKPoint VPN device

30 Replies 30

JATINDER KUMAR
Level 1
Level 1

guys any help..

guys any help....is it so dumb questions ...?

Hi Jatinder,

Refer the below link for IPSec configuration on the IOS,

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml.

It will be helpful.

Regards,

RV

Dear Rohan,

can you please provide me the answers for my above queries as i have to implement the same for one project .. thanks ... would surely go through the link

Hi Jatinder,

You don't need a public IP on your device for your site, your device is already being seen with a public IP as a result of the NAT.

You need to ensure you have the public IP for the other VPN site and give the personnel at the other end your Public IP within the NAT not the private.

The two devices should be able to detect if there is a NAT and reconfigure to use NAT traversal to setup the tunnel.

Are you getting any specific errors during the setup?

thanks for the reply .. yes i am getting multiple error .. first if about routing ... as i have default route... to my ISP .. do i need some other route....? i dont thnk so ... plz advise.. i am using CCP to configure the same and its asking for internal IP also to be protected .. so this will be their LAN ...

will post you the screen shot ASAP..

any comments plz add

Hello Jatinder,

You do not need any particular route, just the default one pointing to your default gateway.

I am going to try to respond all of your queries.

You need a public ip address on the internet router, you will perform a no_nat configuration for the communication between the two end networks.

Now if you only want to allow RDP via the L2L tunnel, you can specify that on the Crypto ACL ( Just match tcp port 3389)

If you want you can provide me the 2 internal networks on both sides an I can try to build an example for you!

Regards,

Do rate all the helpful posts....

Julio

Cisco Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the reply.. sorry took loads of time to get back on this ...

ok first of all my internal networks ...

site A : 10.10.11.3/32 single machine to be access by second side

Site B : 172.17.24.169 which then is natted on device to another internal IP but i am asked to do the VPN on this.

i tried doing this and below is my config .. i thnk as suggest by you i missed few things ...

1. do i need to remove the NAT from 11.3 ip .. i thnk you mean yes...

2. i dont have a public IP on router becasue of security .. so if i configure one on loopback .. any best practices to protect the same frmo public attacks.

Thanks for the help ... this is pre share site to site tunnel .. one more things which got bit odd today. was.. when i configued this .. although i didnt fo "no nat" thing .. but dont know form where i got another ip next to pre-sharekey and after set-peer command ... which is not form my network neither i thnk from remote network ...

MIRROR CONFIG FROM ROUTER

crypto isakmp policy 1

authentication pre-share

encr aes 256

hash sha

group 2

lifetime 3600

exit

crypto isakmp key XXYYZZ@ address 172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

crypto ipsec transform-set CLIENT_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256

mode tunnel

exit

ip access-list extended SDM_1

remark CCP_ACL Category=4

remark IPSec Rule

permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address that connects to this router.

set transform-set CLIENT_Transformation

set peer 172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

match address SDM_1

exit

i know i am missing smthing .. please advise .. is it no nat.. or there are other config mistakes also.. or its just public ip on router... and what is that IP in red above ...?

just type a lot and dont know where it gone .. very bad ...

thanks Julio for the reply ... now i have to type all again it was lot ..

no worries... ok first to answer your questions ..

Site A : 10.10.11.3/32

Site B : 172.17.24.169/32 this is then natted to some other priate ip but i am asked to configure vPn on this

secondly i dont have any public ip on my router all are configured on internal machiens and then on router which acts as a gateway is doing nat for the private IP and isp is routing our public IP. so no direct public ip and i dont want to give even .. but if this is a restriction then will give. that means the public ip of the router will act as the peer.. or the peer ip will still be the ip of internal machine .. dont  know .. becasue you were saying above that we have to perform no nat.. which actually i havent done .. so my 11.3 ip is getting natted to some public IP and i want to create tunnel between that specific mahcine only. so where will be my tunnel .. router to site be or internal machine to site b... plz advise..

and now the big confusion .. i did the config today .. and then when i did the mirror config just to see.. i saw some othe private ip .. below is my config .. ip nest to preshare.. and peer address is dont know from where it came,,, any idea whats that ...?

172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

**********

crypto isakmp policy 1

authentication pre-share

encr aes 256

hash sha

group 2

lifetime 3600

exit

crypto isakmp key  XXYYZZ#$%^@ address 172.30.7.194

crypto ipsec transform-set client_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256

mode tunnel

exit

ip access-list extended SDM_1

remark CCP_ACL Category=4

remark IPSec Rule

permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address that connects to this router.

set transform-set client_Transformation

set peer 172.30.7.194

match address SDM_1

exit

please advise .. what m missing .. thnk loads now .. "no nat" .. public ip on router and anyting else..

Hello Jatinder,

Sorry to hear that you have some issues trying to post this.

Ok first thing we are going to do a L2L so the tunnel will be between the devices behind both routers!

Yes, you will need to have a public ip address here as this will be the peer ip address configured on the other side!

The No_Nat configuration will look like this:

ip access-list e NAT

deny ip  host 10.10.11.3 host 172.17.24.169

permit ip any any

This is an ACL is being used for the NAT!

Hope this helps.

Regards,

Rate all the posts that helps!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanks julio for the quick reply.. though u guys already sleeping .. anyways the config which i posted above does this makes any sense..

and that means .. i configure the public ip on router and remove the nat which is there from 11.3 ip .. so my peer will become the wan interface/ip of router...

secondly can you pelase advise how can i protect the attacks as i know there will be loads of attacks once i give public ip on interface or in my case i will be giving it to loopback hope this will not be an issue...

what is the best practice to protect public ip on router...?

i am using ccp to config vpn .. anything frm you to add here

        any idea about the ip 172.30.7.194 which is coming in my config without me giving it .. what exactly is this

Hello,

That 172.30.7.194 got to be a peer for a L2L connection!

To protect your Public IP on your router you can use different mechanisms :ACL, ,Control plane protection,Managment plane protection, uRPF,etc) There are so many ways you can protect to this attacks so do not worry for that.

First let's make the VPN tunnel to go up, then you can open another question on the security team and I would be more than glad to help.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanks Julio.

sorry m asking the same question again .. do i need two public ips .. as when i am givng the peer ip on loopback and trying to connect ... i am getting some errors... on routing...

when i am doing the nat of internal machine to public ip ... then my tunnel fails .. really m not able to understand what m missing .. do i need to have publich ip on physical interface .. and my internal machine also .. or only on router... i followed this but no getting it ..

please advise.

http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/

my router is 861 .. vlan 1 ip .. 10.10.11.1 gateway for 10.10.11.3 which is my internal machine ...

i have one default route... which points to isp gatewat .. which is a private IP...

i am doing nat of 11.3 ip to public ip ..

please see the screen shot if this gives any idea

Good day,

As I understood that your Router that you configured the VPN on it isnot facing the internet and you have another device facing the internet and you did a static NAT on it to redirect the public IP tp you vpn router interface.

- why don't u configured NAT on your VPN router??

As I saw from the show run of your vpn router there is a missing config.

my advice is to configure NAT on this router then create Route MAP to exclude your internal traffic on the both sides.

Let me know if you have points that I didn't understand it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: