Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Site-to-Site VPN Integration issues with Cisco expert Roy Pereira. Roy is a Product Line Manager within the Cisco VPN and Security Services business unit. Feel free to post any questions relating to Site-to-Site VPN Integration.

Roy may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other message boards shortly after the event. This event lasts through October 20. Visit this forum often to view responses to your questions and the questions of other community members.

36 REPLIES
New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

What is site-to-site VPN, and can I use it to drive e-business between partners?

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

A site-to-site VPN is a secured end-to-end VPN where both 'ends' are your offices. An example is connecting a branch remote office to your headquarters through a secured VPN through the Internet instead of using a leased line.

Another example of a site-to-site VPN is one that you use with your partners. Your partner would set up a VPN device on their network and have it connect with your VPN device at your network. Your VPN connection would travel through the Internet, but would be secured.

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Roy,

We have a situation that sounds similar to what you describe as a site-to-site VPN. Our main office is in the western suburbs of Chicago, and we have a branch office in Milwaukee, WI. We presently have a 128K Frame Relay circuit in the Milwaukee office, connected to a Cisco 2600 series Router, an NT v4 Server (BDC), and about 15 Win 95/98 clients. We have an Altiga/Cisco VPN 3000 Concentrator installed and working in the Chicago office, and I have successfully logged in from my IDSL line at home via the Cisco VPN client. What I want to do is this:

We can install a full 1.5Mbps SDSL connection at the Milwaukee office for less than the cost of the existing 128Kpbs Frame Relay circuit. Obviously having the 1.5Mbps connection would be preferable, but I don't know how I can get the NT4 server in Milwaukee to automatically authenticate the VPN connection to Chicago PDC when the system reboots (we automatically reboot the system once a week for stability purposes). My documentation, the VPN Client 3000 user guide only seems to cover client connections, not server to server connections. We manage the server remotely, and no one at the Milwaukee office has access privilege to the NT4 server, so the VPN validation has to be automatic.

Is there a solution to my problem? Can the VPN client software be run on the NT4 server as a Service that will run automatically? Is there some other solution?

Thanks in advance,

Ray Ciscon

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

The best thing is to NOT run the VPN client on the NT server, but rather setup the VPN on the SDSL router. In this situation whenever either side initiates traffic the tunnel is built automatically. Plus you add the capability of VPNing the entire location rather then each client individually. CCO has a number of documents on how to setup VPN Concentrators with Cisco Routers. But here are some general guidelines. If you have additional questions you can contact me via email.

ON THE VPN Concentrator:

Goto CONFIGURATION > SYSTEM > TUNNELING PROTOCOLS > IPSEC > LAN TO LAN

Click Add and enter the appropriate tunnel setup (I recommend reading the different ways to do this)

ON THE Router:

(here is a sample config)

Using 2048 out of 29688 bytes

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname myrouter

!

logging buffered 4096 debugging

!

!

!

!

!

ip subnet-zero

!

!

!

!

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key MyKey address 204.86.74.1

!

!

crypto ipsec transform-set MyTransformSet esp-des esp-md5-hmac

!

crypto map MyCryptoMap 10 ipsec-isakmp

set peer 63.86.74.4

set security-association lifetime seconds 28800

set transform-set MyTransformSet

match address 100

!

!

!

!

!

interface FastEthernet0/0

description Internet Provider

ip address 64.73.49.75 255.255.255.248

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map MyCryptoMAP

!

interface FastEthernet0/1

description Local Ethernet

ip address 192.168.20.254 255.255.255.0

ip nat inside

no ip mroute-cache

speed 10

half-duplex

!

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 64.73.49.75 permanent

no ip http server

!

access-list 100 permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

route-map nonat permit 10

match ip address 110

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password 7

login

!

end

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

this is not a VPN to VPN question but close!!

Hi I am working with the Pix 505 latest version 5.2(1) and we are using pptp on Windows 2000 and IPSec with the the Cisco VPN client on Windows NT and 98. We are unable to see the netbios machine inside the firewall. We ran the same test with a Pix 520 with successful results on both clients. The difference is that the 520 is not at the latest revision of OIS. The rest of the config is the same. Do you have an Idea on what the problem might be?

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

There were no open caveats/bugs on 5.2(1) listed in the newer versions release notes. I would conduct the tests using 5.2(3) as the engineers are constantly improving the code. This sounds like a good case for our Technical Assistance Center. You can open a case online at http://www.cisco.com/tac/caseopen/

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

I have a simple question. Being new to the Cisco realm I was wondering where I could find documentation on configuring Cisco routers for VPN and NAT. I would prefer a hardcopy or CD and a web location would work as well.

The reason I am pursuing VPN and NAT is that we have a remote office on the West Coast and the main office is on the East Coast. We want to configure a VPN between the offices and use NAT for access to the world.

Thanks.

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Building configuration...

Current configuration:

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

hostname 1720VPN/NAT/Firewall

no logging buffered

memory-size iomem 25

ip subnet-zero

no ip source-route

ip name-server 209.181.98.217

!

ip inspect name fw tcp

ip inspect name fw http

ip inspect name fw ftp

ip inspect name fw udp

ip inspect name fw tftp

ip inspect name fw1 tcp

ip audit notify log

ip audit po max-events 100

ip cef

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key secretkey address 0.0.0.0

crypto isakmp client configuration address-pool local ourpool

crypto ipsec transform-set trans1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set trans1

crypto map intmap client configuration address initiate

crypto map intmap client configuration address respond

crypto map intmap 10 ipsec-isakmp dynamic dynmap

cns event-service server

interface Serial0

ip address 65.212.34.87 255.255.255.0

ip access-group 120 in

ip nat outside

ip inspect fw out

crypto map intmap

interface FastEthernet0

ip address 10.0.0.200 255.255.255.0

ip nat inside

speed auto

ip local pool ourpool 192.168.1.1 192.168.1.254

ip nat pool outsidepool 202.203.98.122 202.203.98.122 netmask 255.255.255.248

ip nat inside source route-map nonat pool outsidepool overload

ip nat inside source static 10.0.0.13 202.203.98.125

ip classless

no ip http server

!

access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit icmp any any

access-list 120 permit udp any host 63.238.16.81 eq isakmp

access-list 120 permit esp any host 63.238.16.81

access-list 120 permit ahp any host 63.238.16.81

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit icmp any any echo-reply

route-map nonat permit 10

match ip address 101

hope this helps

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Thank you for your assistance

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

This is possible. Here is a sample link of how it is done with an Altiga to Cisco IOS device.

The key features to notice are the access lists and the nonat statement. You do not want to NAT items that are tunneled to the remote offices, but you want to NAT everything that isn't tunneled and sent to the internet.

Hope this helps,

Leonard Thompson

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

we have a site-site VPN using 7120 model. This is also used as our perimeter router. I also have people doing remote VPN through this. I want to put some ACL on the router but I don't wnat to harm my VPN traffic. Is there a certain port I should leave open for the VPN?

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

It depends on where u put your ACL and which interface is your tunnel endpoint. For IPSEC VPNs you need to allow (IP port 50 and 51) and UDP (port 500) to your tunnel end point. For other VPns like GRE etc you can find the port number in the Documentation or even on the router CLI

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

IPsec traffic uses two protocols; IKE and ESP/AH.

IKE is based on UDP port 500

ESP and AH are IP protocols #50 & #51

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Q) If I place my VPN Device behind a firewall or router running access control lists, which ports and protocols do I need to allow through?

A)

Service Protocol Number Source Port Destination Port

PPTP Control Connection 6 (TCP) 1023 1723

PPTP Tunnel Encapsulation 47 (GRE) N/A N/A

ISAKMP/IPSEC Key Management 17 (UDP) 500 500

IPSEC Tunnel Encapsulation 50 (ESP) N/A N/A

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Hi Roy,

I have a T1, VPN using a 1500 PIX and 1.0 IPSec CISCO 3-des client. I was told by a "CISCO business partner" (my vendor) that I had to have a PIX configured to do triple des and the PIX that they sold me is not configured to do Triple des and so single des is what I'm currently doing with the 1.0 IPSec client. When I reboot the PIX, it boots up with a triple des installed statement. Is my vendor mistaken? am I doing triple des? How can I determine if I am?

Thanks

George

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

I think this is what your vendor is talking about. If 3DES is enabled by doing the following I would call your bus partner back.

The Activation Key on the PIX Firewall (shown by "show ver")

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Disabled

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Multicast over Site-to-Site VPN with PIX Firewalls.

Hi, what would be the best solution if you want to run Multicast over a VPN with PIXs ? Also, how will that interact with the unicast traffic and eventually routing protocols ? The Net design is a Hub and spoke (five spokes).

The Multicast traffic is quite limited (stockexchange information).

Cheers

/Nils Johansson

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Ahh, my understanding from Cisco is that IPSEC does not support multicast. So unless you are able to encapsulate the multicasts into a unicast packet via multicast routing etc. it won't work. I haven't worked to hard on testing that because I have found other workarounds.

A good example of this is Novell clients like to find servers using SLP multicasts. Unfortunately IPSEC isn't able to tunnel this.

Good Luck!

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Roy,

we are designing a site to site VPN involving several sites. In each site we have local LANs with a private addressing scheme and we want to protect the machines connected to the LANs using a firewall.

We are going to use the VPN in order to communicate in a transparent fashion the LAN machines through the Internet.

At this point we have a doubt. We have several choices:

1) We can use a firewall PIX to protect the machines and build the VPN using the routers

2) We can use the firewall PIX to do the firewall & VPN functions and use the router only to route packets.

3) We can use the router doing all of the work (routing, firewall & VPN)

What do you recommend me?

Thanks in advance,

Sergio Monti

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Depends.

The all in one solution is cost efective, but resource intensive. So you should look at budget and the performance requirements.

I have done both methods 1) and 2) that you mentioned. So far I have found advantages to both.

For instance, if you put the VPN function on the PIX then it is difficult to telnet to that device from the outside and do any troubleshooting on the tunnel if the tunnel is broken. So you better have a way to dial in to that device.

If you put the VPN funtions on the router, you have to pretty much double up on your access-lists because the PIX (I assume) does the NAT. So you have to instruct the PIX (via access-lists) to decide which networks to NAT and THEN you have to go to the router and instruct (via access-lists) which ones to tunnel.

There are a few other considerations that I have personally run into, but ultimately Cisco recommends that the Firewall/NAT/VPN be on the PIX and the Router just route.

Hope that helps!

Leonard Thompson

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Roy,

Iam planning to implement IP VPN over internet between US and France ILOG Branches. We have a backbone conection to France with Frame Relay, However if Frame Relay dies, I would like to have a secured channel over IP VPN to conect any host from US to France vice-versa.

I have a UUNET connection in MOuntain View, USA to our ISP with Full T1 using 2610 Router. Otherside also France they have Full T1 connection to there local ISP. Is there anyway we can build VPN over internet using existing 2610 model routers which is connected to ISP? with out any further investment?

-Ramesh

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

To my knowledge there should be no problem running a 2600 to 2600 VPN solution. As long as you have the required IOS (supports IPSEC/DES).

However, I would not recommend it with out the encryption module shown at http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/kaos_ds.htm

This module will help take the load of performing DES or 3DES encryption off the CPU of the router.

Leonard Thompson

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Good Evening...

I have been using the Cisco Systems VPN 3000 Client successfully till this afternoon. While trying to connect to our company domain, the client software stops at the same location - "Negotiating security profiles...".

As I review the IPSec log view, I notice the following entry:

11 20:25:26.280 10/15/00 Sev=Info/4 IPSecDriver/0x43200013

Key Expired

Any assistace you can provide to eliminate this problem is greatly appreciated.

jhutson@citgo.com

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

This usually means that you are not able to communicate with the central

site device with IKE (UDP 500). If you are behind a PAT or filtering device,

you should ensure that this device is still allowing UDP 500. If you are

using a personal firewall product, you should ensure that it's allowing the

VPN client to have access to send/receive data (Protocol-50 ESP and UDP

500). If your central site concentrator is behind a firewall, you should

confirm that none of the filters have changed on this firewall. You may want

to look at the logs on your central site Concentrator and look for a

connection attempt. You should also ensure that you can ping the

Concentrator and still have IP connectivity. If you cannot determine what

the issue is, the TAC is available to help as long as you have a Smartnet

Contract. The latest client version is 2.5.2*, you may want to log in to the

CCO SW Center and upgrade if you're running an older version of the client.

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

I am just starting to research VPN. Can I use my existing Cisco routers a combination of 2600 and 2500 models for VPN ? I have a hub and spoke setup at the hub there is a pix 520 which everything sits behind. I would think each remote that is setup for VPN would need there own firewall now. What would you recommend ?

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Yes you can use your existing 2600 routers to VPN to a PIX 520. You just want to make sure that you plan carefully for the additional load of multiple tunnels terminating to the PIX firewall. I ran into some issues awhile ago on a previous version of code for the 520 and IPSEC Site to Site connections, which prompted me to purchase the VPN 3030 Concentrator. It is a sizeable investment, but a worthwhile one in my opionion. It definately makes your task at hand much easier.

Your assumption to have a firewall at each location is correct. Anytime you open an access point to your network from the public you need some sort of protection. The nice thing is that you can use the PIX firewall 515 (which is a little lower end) to VPN to the PIX firewall 520.

Leonard Thompson

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

I would like to install a VPN between two sites which have acces to ADSL.

What is the better solution ?

Thank you.

New Member

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

The 1700 series (http://www.cisco.com/warp/public/cc/pd/rt/1700/) or the 1400 series (http://www.cisco.com/warp/public/cc/pd/rt/1400/) routers should suit your needs. You can also use the Cisco VPN client to build/terminate your tunnels.

Re: ASK THE EXPERT – SITE-TO-SITE VPN INTEGRATION

Roy,

I have recently implemented a Pix 515 as a firewall/vpn. I've also Implemented a Pix 506 for a client. I now have a situation where I've been asked to do a 3000 concentrator and a two 1605 routers in a lan to lan vpn. This entire time I've been doing these I've taken example configs and set them up to work as best I can. I'm to a point where I keep looking for some sort of a book that explains how all the commands actually correlate to each other. Most the manuels that I've looked at have just explained the commands themselves and not explained how everything correlates. If you can pass along any knowledge I would be appreciative.

Patrick Laidlaw

67
Views
0
Helpful
36
Replies