03-21-2018 09:07 AM - edited 03-12-2019 07:24 AM
I am new to programming Cisco IOS devices. I have a client with which I need to create a VPN from our VPC to their PIX device. I have started a trial with the Cisco CSR 1000V virtual appliance. I have access to it and have started to the configuration.
I think I have the isakmp phase 1 complete and most of phase 2. Where I am stuck is no doubt the actual complicated part...setting the acls, etc. for interesting traffic and whatever else is needed.
The PIX admin gave me the following peer and endpoint info (generalized here for security purposes as these are all "real" IPs):
Peer1 xxx.xxx.xxx.5
Target1a xxx.yyy.yyy.7
Target1b xxx.xxx.xxx.7
Peer2 zzz.zzz.zzz.17
Target2 zzz.zzz.zzz.7
I would be grateful for any help with how this information should be used to complete the S-2-S VPN configuration. Every example I have found uses a subnet and not a real IP for filtering interesting traffic.
Thanks
Kirt
03-21-2018 05:55 PM
Hi
Let's assume hosts named peer are in your lan and target on remote lan.
You need to create the acl:
ip access-list extended L2L
permit ip host peer1 host target1a
permit ip host peer1 host target1b
permit ip host peer2 host target2
Then attach this acl to your crypto map:
crypto map L2L 10 ipsec-isakmp
match address L2L
set peer PublicRemoteIP
set transform-set xxxx
This crypto map will be applied to your wan interface:
interface g0/0
crypto map L2L
If you don't this config, your phase 2 isn't up
03-22-2018 05:53 AM
Thanks for the reply, Francesco!
To add to the complexity of this issue I did not give the complete picture initially.
The peers on my side is actually a subnet (172.16.127.0/24). Since this overlaps a subnet on the other side I cannot put it directly into the access-list statement. I think what needs to happen is to NAT the subnet to one of my real IPs so that the other side sees traffic coming from that real address.
What would that look like so I can replace peer1 and peer2 in our example with the NATed real addresses?
Thanks again for your input and assist.
Kirt
03-22-2018 02:01 PM
Would the NAT look like the Dynamic PAT section in this article? http://www.practicalnetworking.net/stand-alone/cisco-nat-configurations-ios-router/
So, using the IP from the example:
ip access-list standard INSIDE-NET
permit 172.16.120.0 0.0.7.255
ip nat pool SHARED-IP 32.8.2.66 32.8.2.66 prefix-length 21
ip nat inside source list INSIDE-NET pool SHARED-IP overload
ip access-list extended L2L
permit ip host 32.8.2.66 host target1a
permit ip host 32.8.2.66 host target1b
permit ip host 32.8.2.66 host target2
Attach acl to the crypto map.
Attach the map to the WAN interface.
Make WAN interface outside nat.
Should this allow the devices in 172.16.120.0/21 to share the connection and appear to be coming from 32.8.2.66 on the other side of the VPN?
Thanks again,
Kirt
03-22-2018 05:05 PM
I am attaching a generalised copy of my current config relating to this issue.
When I applied ip nat outside to the WAN interface it killed my ability to access the device except from the subnet where the LAN interface resides.
Any changes, suggestions, etc as to if this will work or should be modified would be appreciated.
Thanks!
Kirt
03-22-2018 07:00 PM
03-23-2018 06:27 AM
Thanks for the follow up, Francesco!
The shared article makes sense. The primary difference is that they are requiring a single real/public IP rather than a subnet. So I would need to translate my internal network to an IP rather than another network.
So in the article example, if I am on the right side and R3 is the only thing I control, rather than NATing my subnet to 10.200.200.0/24 I need to NAT to something like 1.1.1.100/32.
Would it be as simple as changing:
ip nat inside source static network 10.1.1.0 10.200.200.0 /24
to:
ip nat inside source static network 10.1.1.0 1.1.1.100 /32
and change my acl from:
ip access-list extended crypto
permit ip 10.200.200.0 0.0.0.255 10.100.100.0 0.0.0.255
To:
ip access-list extended crypto
permit ip host 1.1.1.100 host RemoteTargetIP
Hopefully I am not just flailing about ;)
Thanks again for your assist.
Kirt
03-23-2018 03:32 PM
FYI on my generalized set up....
I reduced the NAT to a /24 from a /21 and I am able to access the device normally again. I think just had too large of a group and it was NATing the subnet the WAN interface is in as well killing my ability to get to it from outside.
03-23-2018 04:50 PM
03-23-2018 08:08 PM
I will be testing in about 13 hours. I will let you know how it goes ;)
03-26-2018 07:34 AM
Thanks for all your help.
I did get the routing working by using a PAT NAT to NAT my subnet behind a single real IP. I am finalizing my Phase 2 (IKEv2) policy and that should get me up and running.
Kirt
03-26-2018 08:43 PM
03-27-2018 12:26 PM
I have reduced it to a single /24 subnet containing the machines that need access. This is for accessing a remote app so the traffic is basically initiated one way. Also, only traffic bound for the particular app server IPs are routed to this device and not general traffic.
Currently if I ping an app server IP we are seeing Phase 1 come up, but Phase 2 is not. I am trying to gather information and get more specific as to why it is refusingthe Phase 2 handshake.
Thanks
Kirt
03-27-2018 07:35 PM
03-28-2018 06:19 AM
Thanks, Francesco.
I am looking at how to get debug info. Any suggestions welcome.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: