09-29-2013 11:09 PM - edited 03-07-2019 03:44 PM
Hello Network Admins,
I need your help here configuring additional Site to Site VPN on Cisco router.
Note: Site-A = Head office
Site-B= Branch office -----------> Public IP : 87.101.54.74
Site-C= Branch office -----------> Public IP : 87.101.80.94
Site to Site VPN is configured between Site A to B and Site A to C. However, I am trying to configure Site to Site VPN from Branch office to Branch office Site-B to Site-C. Here is my existing Site to Site VPN running configuration which is connected to head office. Please let me know what can be done to configure branch office to Branch office? Thank you.
Site B#show run
Building configuration...
Current configuration : 2672 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SIT
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-15.T9.bin
boot system flash flash:c2800nm-ipbase-mz.124-15.T10.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$UC784zH75YQO..fhY6S.ar0
enable password asdf
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DSL
network 10.11.4.0 255.255.255.0
default-router 10.11.4.1
dns-server 208.67.222.222
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret 5 $ghjikhggfffd
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ijklmnopq address 87.101.158.218 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address 135
!
!
!
!
class-map match-any Servers-List
match access-group 190
!
!
policy-map Servers
class Servers-List
bandwidth percent 50
!
!
!
!
interface FastEthernet0/0
description WAN ITC
bandwidth 2048
ip address 87.101.54.74 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_ITC
service-policy output Servers
!
interface FastEthernet0/1
description LAN ITC
ip address 10.11.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.101.54.73
ip route 87.101.158.216 255.255.255.252 87.101.54.73
ip route 192.168.0.0 255.255.0.0 87.101.54.73
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 138 interface FastEthernet0/0 overload
!
access-list 135 permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 permit ip 10.11.4.0 0.0.0.255 any
access-list 190 remark List of Servers to be assigned QOS
access-list 190 permit ip any host 192.168.50.1
access-list 190 permit ip any host 192.168.50.13
access-list 190 permit ip any host 192.168.50.15
access-list 190 permit ip any host 192.168.50.21
access-list 190 permit ip any host 192.168.50.22
access-list 190 permit ip any host 192.168.50.24
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Site-C configuration: -
Current configuration : 2859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SIT
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-15.T9.bin
boot system flash flash:c2800nm-ipbase-mz.124-15.T10.bin
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 0101565446764F1E2837253221
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DSL
network 10.11.10.0 255.255.255.0
default-router 10.11.10.1
dns-server 208.67.222.222
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
username awalnet privilege 15 secret 5 $1$O9C6$hGhgghd4.L7ULalS7Wt/
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 5O15B67n address 87.101.158.218 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address 135
!
!
!
!
class-map match-any Servers-List
match access-group 190
!
!
policy-map Servers
class Servers-List
bandwidth percent 50
!
!
!
!
interface FastEthernet0/0
description WAN Link to ITC
bandwidth 2048
ip address 87.101.80.94 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_ITC
service-policy output Servers
!
interface FastEthernet0/1
description LAN
ip address 10.11.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.101.80.93
ip route 87.101.158.216 255.255.255.252 87.101.80.93
ip route 192.168.0.0 255.255.0.0 87.101.80.93
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 138 interface FastEthernet0/0 overload
!
access-list 135 permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 permit ip 10.11.10.0 0.0.0.255 any
access-list 190 remark List of Servers to be assigned QOS
access-list 190 permit ip any host 192.168.50.1
access-list 190 permit ip any host 192.168.50.13
access-list 190 permit ip any host 192.168.50.15
access-list 190 permit ip any host 192.168.50.21
access-list 190 permit ip any host 192.168.50.22
access-list 190 permit ip any host 192.168.50.24
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Note: IPs and passwords are edited just for understanding. Thank you.
Solved! Go to Solution.
09-30-2013 10:22 PM
Hi Richard,
if he does not use the router for internet access, I think there is no need to configure than NAT translation, also I posted the correct configuration for the NAT translation in the above. but only I created the rule for one of the sites.
regards,
10-01-2013 06:01 AM
Since the configuration for NAT was already in the configuration I assumed that it was needed. And as written the address translation would prevent the site B to site C VPN from working. The choices are either to remove the configuration of address translation (which I believe would be a mistake) or to make sure that the translation does not attempt to translate traffic between B and C over the VPN.
HTH
Rick
09-30-2013 10:59 PM
Hello Richard,
When I applied the following commands Network went down and also applied cypto map 138 entry
access-list 138 deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 deny ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255
access-list 138 permit ip 10.11.4.0 0.0.0.255 any
Actually 192.168.0.0 is connected to head office and 10.11.4.0 and 10.11.10.0 are branch offices. I am trying to connect between brnach offices.
Here what I observed.
If I apply the following command Computers remote site was able to reach only to Oracle Server at head office and Internet at Branch office was down.
access-list 135 permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
When I applied these Two commands Network came up. Inetrnet and Oracle server was working and were reachable.
access-list 138 deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 permit ip 10.11.4.0 0.0.0.255 any.
Let me know. Am I doing anything wrong? Actually I applied access-list 138. I was able to access remotely via putty but users at remote site were not able to use Internet as well as their connection to head office was disconnected. Help needed. Thank you.
10-01-2013 06:29 AM
Lili
You mention applying various access lists but it is not clear how you applied the access lists and it seems that you are a bit confused about them. So let me try to explain what you need. You need one crypto map which is applied to the outgoing/public interface. In the single crypto map are two instances. 10 is for the VPN to site A and 20 is the instance for the VPN between B and C. You need 2 access lists for VPN. Access list 135 is used in crypto map 10 for site A VPN and access list 101 is used in crypto map 20 for B to C VPN. You need 1 access list for address translation. This access list should deny traffic from the local subnet to the subnet of site A and to the subnet of the other branch and then should permit traffic from the local subnet. If you configure and apply the access lists in this way I do not see why any connectivity would be impacted.
HTH
Rick
09-30-2013 10:12 PM
Hi Lili,
according to the ping result you have a problem with access-list
I make a clean up in your access-list and I will post the correct one.
regards,
09-30-2013 11:01 PM
Hello Hardi,
Thank you for the reply. I am waiting for your configuration. Please post it if possible. Thanks again.
09-30-2013 11:24 PM
Hello,
the NAT configruration is not correct. please remove the current configuration but you have to apply this configuration through a consol cable.
for site B change the NAT & NAT access list as a below:
ip access-list extended NAT_ACL_B
deny ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255
ip nat inside source list NAT_ACL_B interface FastEthernet 0/0 overload
also apply below configuratioin for Site_C:
ip access-list extended NAT_ACL_C
deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.11.10.0 0.0.0.255
ip nat inside source list NAT_ACL_C interface FastEthernet 0/0 overload
make sure you have the same configuration on HQ Router.
10-01-2013 12:12 AM
Hello Hardi,
Actually head office private network is 192.168.0.0/16 <----- SITE A
I am trying to connect Between Site B to Site C.
Now I will make it simple for you to understand.
Site B network is 10.11.4.0/24 and Site c Network is 10.11.10.0/24
However, Site B and C are already connected to head office"Site A" and their SIte to Site VPN is UP. I want to configure between Site B and Site C. Without disturbing Site to Site VPN connectivity of both branches which is Site B and Site C which are already connected to Site A which is Head office.
We have to add 1 extra VPN in Site B and Site C. We should create a tunnel between both of them.
So here you suggested me to delete access list as well as NAT entry. Here are your steps which I edited please check if both of them are correct, in additional if you want to add anything or correct it. Please remove add and correct.
ip access-list extended NAT_ACL_B
deny ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255
deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.11.4.0 0.0.0.255
ip nat inside source list NAT_ACL_B interface FastEthernet 0/0 overload
also apply below configuratioin for Site_C:
ip access-list extended NAT_ACL_C
deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.11.10.0 0.0.0.255 10.11.4.0 0.0.0.255
permit ip 10.11.10.0 0.0.0.255
ip nat inside source list NAT_ACL_C interface FastEthernet 0/0 overload
Actually I am trying to learn here sorry for troubling you. Also clear my doubt what we have to configure at match address in crypto map configuration?
crypto map VPN_ITC 20 ipsec-isakmp
set peer 87.101.54.74
set transform-set VPN_ITC_TS
match address "101" <--------
Please let us solve this problem. Thank you.
10-01-2013 12:55 AM
Hi Lili,
you added Site IP address, the NAT process is correct as well as the ACL.
for each map you have to creat a policy and can match with its the specific address. site B&A should mutch in address 101 and sites B &C should match in address 135.
please apply this and let me know about the result.
regards,
10-01-2013 03:51 AM
Hello Hardi,
I know I am troubling you sorry for that. Its looking little bit tuff to me. However, I tried method which is in configuration
it didn't work, As you told me that Nat and access list has to be configured and existing configuration have to be removed. Could you please post the access-list and Nat configuration from Site A to Site B and Site A to C then followed by our configuration from Site B to Site C. Our main focus is on Site-B to Site-C. Then Site C to Site B. Well its a mess. Any help will be very very helpful as I am trying to learn. Lets solve this issue.
Note: Public IP for SIte A 87.101.158.218 and Private IP 192.168.0.0/16
Public IP for Site B 87.101.54.74 and Private IP 10.11.4.0/24
Public IP for Site C 87.101.80.94 and Private IP 10.11.10.0/24
Note: IPs are edited and changed. Just for Understanding.
10-01-2013 04:24 AM
Hello Lili,
depending on your IP addresses that you provided I creat a template for each site.
first of all, please provide below requested information:
1- what is the current status VPN connection between the different sites, wht is VPN state in each site?
2- end-users can get access to internet service or not?
3- what kind of service you want to be active through using VPN connection?
4- what is the perpose of creating VPN connection between site B and C?
please don't hesitate to contact.
regards,
10-01-2013 04:36 AM
Hello Hardi,
1. Site to Site VPN is UP from Site-A head office to Site B branch office and from Site-A Head office to Site-B branch office. Now requirement is we need to add additional VPN from Site B to SIte C. Just let us forget about SIte A connectivity. As we know VPN is already up from SIte A for both SITE B and C Branches. We are here to focus on Site B to Site C.
2. End Users can access to the Internet at the moment. You can also have look at the public IP its mentioned above.
3.Users from Site B and Site C access to Oracle servers kept in Head office Site-A
4. Actually printer is installed at Site C its ip is 10.11.10.222/24 and we want to print it from Site B branch Hosts with 10.11.4.0/24 Network. Printer is of Oracle pikslip it runs on programming. we Have to create tunnel between site B and Site C so that. Users can print to Site C Printer.
10-01-2013 04:44 AM
Hello Lili,
I got your requiredment, I come back soon.
should let me know if you need anything else.
regards,
Hardi
10-01-2013 04:47 AM
Hello Hardi,
Nothing else. Thank you so much. You were very helful. It is just that am a starter I deal with this kind of problem before but not this serious. I appreciate your help.
10-01-2013 01:46 PM
Hello Hardi Issue solved. Thank you so much for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide