site to site tunnel between to WAN locations

Unanswered Question
May 14th, 2012

Dear friends.. i have couple of doubts regarding the VPN connectivity .. between my site and other WAN site ...

can some one please look at below and clear my doubts ..

1. i am given with a public IP from remote site which will be my peer address...

2. on My router i dont have any puclic IP .. i have a machine inside my network which is on private IP and i am natting this private IP onto public IP from router.

3. do i need a public IP on router also ... ?if es then .. shld i go for a loopback address ...? but then how to protect my router from attachks if i put this on public IP... i have a default route on my router which points to ISP router.

4. i am using CCP to configure the same ... and error i am getting is tunnel down and routing error also ..

5. what ACL i need to create ... i just need to allow RDP .. secondly the protected network will be my inside and his inside only .. correct me if i am wrong ..

Thanks for the time and help ..

SRC Ciscoo 1800 == WAN ==> DSTN Router ==> CHKPoint VPN device

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jatinkumar Thu, 05/17/2012 - 04:05

Dear Rohan,

can you please provide me the answers for my above queries as i have to implement the same for one project .. thanks ... would surely go through the link

nikalleyne Thu, 05/17/2012 - 12:48

Hi Jatinder,

You don't need a public IP on your device for your site, your device is already being seen with a public IP as a result of the NAT.

You need to ensure you have the public IP for the other VPN site and give the personnel at the other end your Public IP within the NAT not the private.

The two devices should be able to detect if there is a NAT and reconfigure to use NAT traversal to setup the tunnel.

Are you getting any specific errors during the setup?

jatinkumar Fri, 05/18/2012 - 21:55

thanks for the reply .. yes i am getting multiple error .. first if about routing ... as i have default route... to my ISP .. do i need some other route....? i dont thnk so ... plz advise.. i am using CCP to configure the same and its asking for internal IP also to be protected .. so this will be their LAN ...

will post you the screen shot ASAP..

any comments plz add

Julio Carvaja Sat, 05/19/2012 - 00:21

Hello Jatinder,

You do not need any particular route, just the default one pointing to your default gateway.

I am going to try to respond all of your queries.

You need a public ip address on the internet router, you will perform a no_nat configuration for the communication between the two end networks.

Now if you only want to allow RDP via the L2L tunnel, you can specify that on the Crypto ACL ( Just match tcp port 3389)

If you want you can provide me the 2 internal networks on both sides an I can try to build an example for you!

Regards,

Do rate all the helpful posts....

Julio

Cisco Security Engineer

jatinkumar Tue, 05/29/2012 - 12:39

Thanks for the reply.. sorry took loads of time to get back on this ...

ok first of all my internal networks ...

site A : 10.10.11.3/32 single machine to be access by second side

Site B : 172.17.24.169 which then is natted on device to another internal IP but i am asked to do the VPN on this.

i tried doing this and below is my config .. i thnk as suggest by you i missed few things ...

1. do i need to remove the NAT from 11.3 ip .. i thnk you mean yes...

2. i dont have a public IP on router becasue of security .. so if i configure one on loopback .. any best practices to protect the same frmo public attacks.

Thanks for the help ... this is pre share site to site tunnel .. one more things which got bit odd today. was.. when i configued this .. although i didnt fo "no nat" thing .. but dont know form where i got another ip next to pre-sharekey and after set-peer command ... which is not form my network neither i thnk from remote network ...

MIRROR CONFIG FROM ROUTER

crypto isakmp policy 1

authentication pre-share

encr aes 256

hash sha

group 2

lifetime 3600

exit

crypto isakmp key XXYYZZ@ address 172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

crypto ipsec transform-set CLIENT_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256

mode tunnel

exit

ip access-list extended SDM_1

remark CCP_ACL Category=4

remark IPSec Rule

permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address that connects to this router.

set transform-set CLIENT_Transformation

set peer 172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

match address SDM_1

exit

i know i am missing smthing .. please advise .. is it no nat.. or there are other config mistakes also.. or its just public ip on router... and what is that IP in red above ...?

jatinkumar Tue, 05/29/2012 - 12:51

just type a lot and dont know where it gone .. very bad ...

thanks Julio for the reply ... now i have to type all again it was lot ..

no worries... ok first to answer your questions ..

Site A : 10.10.11.3/32

Site B : 172.17.24.169/32 this is then natted to some other priate ip but i am asked to configure vPn on this

secondly i dont have any public ip on my router all are configured on internal machiens and then on router which acts as a gateway is doing nat for the private IP and isp is routing our public IP. so no direct public ip and i dont want to give even .. but if this is a restriction then will give. that means the public ip of the router will act as the peer.. or the peer ip will still be the ip of internal machine .. dont  know .. becasue you were saying above that we have to perform no nat.. which actually i havent done .. so my 11.3 ip is getting natted to some public IP and i want to create tunnel between that specific mahcine only. so where will be my tunnel .. router to site be or internal machine to site b... plz advise..

and now the big confusion .. i did the config today .. and then when i did the mirror config just to see.. i saw some othe private ip .. below is my config .. ip nest to preshare.. and peer address is dont know from where it came,,, any idea whats that ...?

172.30.7.194  [NOT MY ADDRESS FROM ANY SITE]

**********

crypto isakmp policy 1

authentication pre-share

encr aes 256

hash sha

group 2

lifetime 3600

exit

crypto isakmp key  XXYYZZ#$%^@ address 172.30.7.194

crypto ipsec transform-set client_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256

mode tunnel

exit

ip access-list extended SDM_1

remark CCP_ACL Category=4

remark IPSec Rule

permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address that connects to this router.

set transform-set client_Transformation

set peer 172.30.7.194

match address SDM_1

exit

please advise .. what m missing .. thnk loads now .. "no nat" .. public ip on router and anyting else..

Julio Carvaja Tue, 05/29/2012 - 13:02

Hello Jatinder,

Sorry to hear that you have some issues trying to post this.

Ok first thing we are going to do a L2L so the tunnel will be between the devices behind both routers!

Yes, you will need to have a public ip address here as this will be the peer ip address configured on the other side!

The No_Nat configuration will look like this:

ip access-list e NAT

deny ip  host 10.10.11.3 host 172.17.24.169

permit ip any any

This is an ACL is being used for the NAT!

Hope this helps.

Regards,

Rate all the posts that helps!

jatinkumar Tue, 05/29/2012 - 13:07

thanks julio for the quick reply.. though u guys already sleeping .. anyways the config which i posted above does this makes any sense..

and that means .. i configure the public ip on router and remove the nat which is there from 11.3 ip .. so my peer will become the wan interface/ip of router...

secondly can you pelase advise how can i protect the attacks as i know there will be loads of attacks once i give public ip on interface or in my case i will be giving it to loopback hope this will not be an issue...

what is the best practice to protect public ip on router...?

i am using ccp to config vpn .. anything frm you to add here

        any idea about the ip 172.30.7.194 which is coming in my config without me giving it .. what exactly is this

Julio Carvaja Tue, 05/29/2012 - 14:04

Hello,

That 172.30.7.194 got to be a peer for a L2L connection!

To protect your Public IP on your router you can use different mechanisms :ACL, ,Control plane protection,Managment plane protection, uRPF,etc) There are so many ways you can protect to this attacks so do not worry for that.

First let's make the VPN tunnel to go up, then you can open another question on the security team and I would be more than glad to help.

Regards,

jatinkumar Wed, 05/30/2012 - 00:54

thanks Julio.

sorry m asking the same question again .. do i need two public ips .. as when i am givng the peer ip on loopback and trying to connect ... i am getting some errors... on routing...

when i am doing the nat of internal machine to public ip ... then my tunnel fails .. really m not able to understand what m missing .. do i need to have publich ip on physical interface .. and my internal machine also .. or only on router... i followed this but no getting it ..

please advise.

http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/

my router is 861 .. vlan 1 ip .. 10.10.11.1 gateway for 10.10.11.3 which is my internal machine ...

i have one default route... which points to isp gatewat .. which is a private IP...

i am doing nat of 11.3 ip to public ip ..

please see the screen shot if this gives any idea

AliBahnam Wed, 05/30/2012 - 05:17

Good day,

As I understood that your Router that you configured the VPN on it isnot facing the internet and you have another device facing the internet and you did a static NAT on it to redirect the public IP tp you vpn router interface.

- why don't u configured NAT on your VPN router??

As I saw from the show run of your vpn router there is a missing config.

my advice is to configure NAT on this router then create Route MAP to exclude your internal traffic on the both sides.

Let me know if you have points that I didn't understand it.

jatinkumar Wed, 05/30/2012 - 12:11

hi Ali/ Julio .. spent almost full day but no success... not gettign the concept right .. please check the config attached and let me know what all mistakes m doing .. its getting failed on peer connectivity...

*************************

Current configuration : 6691 bytes

!

! Last configuration change at 20:55:01 UTC Sat Jan 7 2006 by admin

! NVRAM config last updated at 20:05:28 UTC Sat Jan 7 2006 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname EmtelTest

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3221256201

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3221256201

revocation-check none

rsakeypair TP-self-signed-3221256201

!

!

crypto pki certificate chain TP-self-signed-3221256201

certificate self-signed 01

  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323231 32353632 3031301E 170D3036 30313032 31323032

  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323132

  35363230 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AE60 A8752492 A2E2B2D5 D9F8918D 4794A3C6 88FCF067 ABFEC1C8 F8F93F49

  05B1B5AC 0007C720 0FB6D2D6 5F4BCABA E58EFB27 5A6DF30A 2B105A7A 931DC596

  132DA42D EFA6EE1E E55256DB 6A06B499 83F96A67 72B56E00 013BA9B3 738EEE1B

  29B5BBB5 C412B9BC EBB53340 E5B8623F 0A3ED669 8FE816B8 597FE945 44E827D2

  4FC50203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603

  551D1104 0D300B82 09456D74 656C5465 7374301F 0603551D 23041830 16801405

  182AE6DC 65F3A5E8 45106869 AED7F39A C64A5830 1D060355 1D0E0416 04140518

  2AE6DC65 F3A5E845 106869AE D7F39AC6 4A58300D 06092A86 4886F70D 01010405

  00038181 000902AC 08D682CA 91E707B5 343E8C8D 467DFAA7 D5F4FFC7 A1207346

DC5EED98 66045CF0 55EE1BD4 7F8B7B60 3CA514F2 76D3C9B9 5A87E412 2D86571C

  496E09A9 59F48533 6EBE23F1 E54D913F 205E2A2E 895A7675 A31114FA 8CECE920

  19FA3C7A 00989DCC 486A5E0A 1C376B0E 147878D4 7DD98C10 5F84C1DB 0C7D54EE

  EFB7430A D8

      quit

ip source-route

!

!

!

!

ip cef

ip name-server 196.192.81.61

ip name-server 196.192.81.62

!

!

license udi pid CISCO861-K9 sn FCZ1533C06Y

!

!

username username privilege 15 secret 5 password

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key PSK-XXYYZZ address 1.2.3.4

!

!

crypto ipsec transform-set client_Transformation ah-sha-hmac esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to1.2.3.4

set peer 1.2.3.4

set transform-set client_Transformation

match address 100

!

!

!

!

!

interface Loopback0

ip address 196.192.80.6 255.255.255.248

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 172.30.7.194 255.255.255.252

ip access-group protect_inbound_traffic in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 10.10.11.1 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.30.7.193

!

ip access-list extended protect_inbound_traffic

remark IPSec Rule

permit ip host 172.17.24.169 host 10.10.11.3

permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp

permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp

permit esp host 1.2.3.4 host 172.30.7.194

permit ahp host 1.2.3.4 host 172.30.7.194

permit icmp any host 196.192.80.6

permit ip host 1.2.3.4 host 196.192.80.6

deny   ip any host 196.192.80.6

!

access-list 10 remark CCP_ACL Category=16

access-list 10 permit any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip host 10.10.11.3 host 172.17.24.169

!

control-plane

!

!

line con 0

logging synchronous

login local

no modem enable

line aux 0

line vty 0 4

exec-timeout 3 0

logging synchronous

login local

!

scheduler max-task-time 5000

end

AliBahnam Tue, 06/05/2012 - 06:45

Good day,

Please try to add this ACL  as shown below :-

access-list 110 deny ip host 10.10.11.3 host 172.17.24.169

access-list permit ip host 10.10.11.3 any

route-map test permit 10

match ip address 110

ip nat inside source route-map test interface FastEthernet4 overload

Please add the above to your router and update me.

Regards,

jatinkumar Wed, 06/06/2012 - 09:08

i managed to do dat... the only thing which changed is to use loopback as a tunnel ip .. where in my physical interface ip was getting used so i gave a command to use loopback ip as my tunnel ip ...

now one thing .. i need to give internet to this machine .. m not sure if static nat of inside machine to a public ip will work .. please advise... and idea

jatinkumar Mon, 06/11/2012 - 23:12

hi ali .. requirement now is ..

1. on the tunnel my client connects to one server using RDP and they are able to do so .. but now on the same machine they have this web server configured and they want this web server to be accessed using public internet using some fqdn address/ public ip ...

2. dont know why but every morning the vppn tunnel stops functioning .. any idea why .. means client not able to connect to server ... from remote site.. any idea what i can check

AliBahnam Mon, 06/11/2012 - 23:44

Hi,

regarding the vpn tunnel when the client unable to connect please apply this command to check the VPN status (sh cry isa sa) so if it Active then there is no problem on the VPN.

If it is not active try to ping the server on the remote site then try to connect also apply the above command.

Also apply the below to your router:-

crypto ipsec security-association lifetime seconds 86400

jatinkumar Mon, 06/11/2012 - 23:58

thanks alim .. but sh cry isa sa .. it shows active sessions .. but still clients not able to connect in mrng ...

secondly so lifetime tis already given ..do u thnk its something to do with MTU or idle time

AliBahnam Tue, 06/12/2012 - 02:24

I didn't see the liftime on your attached configuration, so please add it and test.

Are you mean that vpn down on the morning for a while then become up again (client have access)??

jatinkumar Tue, 06/12/2012 - 03:02

thanks ali for the time and reply...if you are talking about this life time .. then i am having below.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

.................

two more things to share...

we were just troubleshooting the things .. and we found that on remote site device it shows tunnel up and they able to ping me .. but my site tunnel shows down ... and remote site is not able to RDP the server but able to ping.

secondly...i am getting this msg always

"

Jun 12 09:28:03.091: No peer struct to get peer description

Jun 12 09:28:03.091: No peer struct to get peer description

Jun 12 09:28:03.171: No peer struct to get peer description

Jun 12 09:28:03.171: No peer struct to get peer description

Jun 12 09:28:03.219: No peer struct to get peer description

Jun 12 09:28:03.219: No peer struct to get peer description

Jun 12 09:28:03.255: No peer struct to get peer description

Jun 12 09:28:03.255: No peer struct to get peer description

Jun 12 09:28:03.291: No peer struct to get peer description

Jun 12 09:28:03.295: No peer struct to get peer description

Jun 12 09:28:03.415: No peer struct to get peer description

"

what exactly is this ...

AliBahnam Tue, 06/12/2012 - 05:36

Please try to remove the below:-

ip access-group protect_inbound_traffic in  from the int fa 4

ip access-list extended protect_inbound_traffic

remark IPSec Rule

permit ip host 172.17.24.169 host 10.10.11.3

permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp

permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp

permit esp host 1.2.3.4 host 172.30.7.194

permit ahp host 1.2.3.4 host 172.30.7.194

permit icmp any host 196.192.80.6

permit ip host 1.2.3.4 host 196.192.80.6

deny   ip any host 196.192.80.6

After you remove the above if it isnot work also , please post the configuration of the both ends routers.

jatinkumar Tue, 06/12/2012 - 05:50

thanks for the reply.. id otn know why my tunnel is not consistent ... very angry ...   cn you please advise one thing .. when applying acl for the tunnel what src and dstn ips will be .. will it be the private ips or the peer ips ...?

secondly can you please advise about my above error .. which i am getting ...

Jun 12 09:28:03.219: No peer struct to get peer description

.. please check previous reply...

AliBahnam Tue, 06/12/2012 - 13:57

Hi,

the  "No peer struct to get peer description" then that means that an access-list is not configured correctly.

on the ACL you must use the private IPs not the peers

So please use the private IPs on your ACL and update me.

Hope this will help you.......

jatinkumar Thu, 06/14/2012 - 04:27

i will surely update you ... now the tunnel is up .. i need one advice from you ... there is a public web site configured on the internal server  and now client wants this web site to be accessed via internel .. + he wants his VPN tunnel to be intact ../ please advice how can i have both the things for the same server for which tunnel is created.

About current VPN status it gets disconnected every mrng .. and dont know what it reconnects after couple of hours .. dont know why ... my side Cisco .. remove side non cisco (Checkpoint)

Actions

Login or Register to take actions

This Discussion

Posted May 14, 2012 at 10:34 PM
Stats:
Replies:30 Avg. Rating:
Views:2610 Votes:0
Shares:0

Related Content

Discussions Leaderboard