cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1865
Views
0
Helpful
8
Replies

Help me fix my router config!

bryan.cobb
Level 1
Level 1

Hello everyone,

Cisco 1800 Series router (1841, running IOS 12.4 21a).  I'm certainly no expert at the Cisco IOS and I'm trying to make a change to force ALL of my traffic through a VPN tunnel.  Right now, all traffic destined for 10.1.0.0 (255.255.255.0) and 192.168.1.0 (255.255.255.0) are being forced through the VPN back to my headquarters.  All other traffic goes straight out our DSL connection.   That all works fine and dandy.   I want to simply force all of the traffic through the VPN tunnel now.

I switched up the route command from:

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 10.1.0.0 255.255.255.0 FastEthernet0/0

ip route 192.168.100.0 255.255.255.0 FastEthernet0/0

to:

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

and I lost Internet and connection back to headquarters!  My config is attached, what am I missing?

Thanks in advance!

-Bryan

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Bryan,

in order to access internet from HQ you need to prepare NAT configuration in HQ device for remote office subnet 192.168.3.0/24.

also you need a static route for the VPN endpoint using the local DSL provider IP next-hop

y.y.y.y = VPN endpoint IP address in HQ (the same as ipsec peer address on remote office router)

x.x.x.x = DSL next-hop

ip route y.y.y.y 255.255.255.255 x.x.x.x

this should allow for vpn setup where x.x.x.x is the next-hop that you used in the old default route.

Without this static route your device would rely on proxy ARP settings of DSL provider. IF proxy ARP is disabled on x.x.x.x device you are lost without the specific static route. With this the VPN should be established.

Also you need to update the ACL that decides what goes on the VPN:

ip access-list extended acl_vpn

permit ip 192.168.3.0 0.0.0.255 10.1.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255

you have to add a line for accessing internet via the VPN

ip access-list extended acl_vpn

permit ip 192.168.3.0 0.0.0.255 10.1.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.3.0 any

on interface fas0/0 you should remove ip nat outside as you are not going to NAT on the remote office (note you have an IPSec VPN so it is not easy to keep local NAT as a backup solution)

interface fas0/0

no ip nat outside

Hope to help

Giuseppe

Giuseppe,

Thank you SO much for your reponse!  I really appreciate it.   I'm a little lost on the proxy ARP stuff, but I'm taking your word for it!   Unfortunately, I'm working on this router remotely, so when I made the changes, I made the least instrusive first so I didn't disconnect myself.   I made the access list changes first, then the ip route and when I took away the nat'ing on the fas0/0, I was disconnected and the office lost Internet and VPN.

It's quite possible that I don't have the HQ firewall (Cisco ASA5510) configured properly.  I have this statement now:

nat (inside) 1 192.168.3.0 255.255.255.0

however I'm not sure if that is the right interface.  I'm not seeing any traffic from the 192.168.3.0 subnet being rejected by my firewall, so I'm guessing I still have a routing issue.  Does it sounds like my outer office router is misconfigured or my HQ router?   If you need to see my HQ router config, let me know...it's a little more a PITA to strip out.  ;-)

Thanks!
-Bryan

Bump...

Hello Bryan,

I'm sorry that you have lost connection to the router and also that I have missed your answer.

Is the IPSec VPN terminated on ASA FW in HQ or there is an HQ router?

The configuration of HQ devices would be necessary  to understand what  didn't work in the change

Again I apologize

Edit:

did you connect on the public IP address on the remote router?

the NAT ACL is:

ip access-list extended acl_nat

deny   ip 192.168.3.0 0.0.0.255 10.1.0.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 any

i

Hope to help

Giuseppe

No need for apologizing!   Let me get you a copy of the HQ ASA.  But to answer your question, yes, the IPSec VPN terminates into my HQ ASA.

OK, HQ config is attached.  Keep in mind that this device also accepts individual IPSec clients as well as this point to point.   192.168.3.0 is the network that is in question.  Let me know if you have any questions!   My config probably needs cleaned up again so please disregard any junk!

Thanks again Giuseppe!

-Bryan

Hello Bryan,

thanks to our forums I have found enough information for the ASA side.

The reference document for what you want to achieve is the following:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

(note: the document is related to IPSec remote access clients but it can be adapted to your scenario)

According to documentation with an appropriate ASA OS version  ( it has to be greater equal of 7.2) is possible to take advantage of the changed behaviour of one command to perform hair pinning ( U-turn) of traffic on the Outside interface.

The involved command is the following:

same-security-traffic permit intra-interface

After OS 7.2 the command allows to send back on the same ASA interface all type of traffic, before 7.2 only IPSec traffic could be hairpinned and this is not enough as in your scenario traffic coming from Lan to Lan IPSec tunnel with remote office has to be de-encrypted, then source NAT processed, then sent out again outside interface to the internet. Traffic coming from internet destinated to remote office should do the opposite: standard IP traffic is received on OUTSIDE interface, the ASA looking at its NAT translations table converts the destination address in a 192.168.3.x address and then has to encrypt it in IPSec according to crypto map configuration ( that has to be modified too).

For remote access clients there is an alternative using split tunneling that can work also in OS earlier then 7.2, but this option looks like not available for LAN to LAN IPSec.

See for this the following thread

https://supportforums.cisco.com/thread/60075?referring_site=kapi&channel=smartnav

post n.5

So you would need:

a) to upgrade ASA OS to 7.2 or later, better to take a version before 8.4 if possible as NAT configuration changes in 8.4 according to several threads in security->firewalling.

b) you need configuration changes

the hairpinning function is performed with the following commands:

same-security-traffic permit intra-interface

global (outside) 2 interface

nat (outside) 2 192.168.3.0 255.255.255.0

note: I would use NAT-id 2 to keep these additional NAT/global  statements separated from existing ones

If this way does not work you could re-use NAT-id 1 instead of 2.

(Warning: This should be tested)

ACL used for choicing what to encrypt towards remote office has to be updated too ( this is my guess)

adding the following line:

access-list outside_cryptomap_GTown extended permit ip any 192.168.3.0 255.255.255.0

Hope to help

Giuseppe

I don't even know what to say Giuseppe, but I guess I'll start with thanks!   I'm somewhat familiar with "

same-security-traffic permit intra-interface" commands, I vaguely remember working with them before.  Looks like I have a lot of work to do and unfortunately, I'll be out of the country next week for a couple weeks so this won't happen anytime soon! 

I'll definitely post back once I put all this to the test.  Thanks again!

-Bryan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: