cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
720
Views
0
Helpful
2
Replies

Cisco 800 site-site VPN to non Cisco

Hi All,

 

I have successfully implemented ISAKMP and IPSEC for a site to site tunnel from a Cisco 881 to a non Cisco device.  Here is what the set up should look like...

 

Remote Side                                                                                                                         Local Side

10.0.0.100 (Real IP) NAT to 172.30.40.70                                                                          172.17.0.0/16

 

What needs to happen is any traffic from remote side 172.17.0.0/16 should be allowed to reach the NAT ip at local side 172.30.40.70.  When i implement the following NAT command...

ip nat source inside static 10.0.0.100 172.30.40.70, i cannot ping 172.30.40.70 from the remote end.

However when i set 172.30.40.70 as a loopback, i can ping from the remote end.

Therefore i am unsure if the NAT is working as it should... 

hostname CCR-LL
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 xxxxx
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2163744000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2163744000
revocation-check none
rsakeypair TP-self-signed-2163744000
!
!
crypto pki certificate chain TP-self-signed-2163744000
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313633 37343430 3030301E 170D3134 30383138 31313439
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363337
34343030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AA37 C44A2484 FCC514A1 451F7C85 E7182631 1DB81A0C 94E5909C AC08B4C3
A83D87D3 D4E25088 D55F62D6 338CBB18 8F63737E A29EAD22 42DFED86 C0E3D98A
3CF91FBF A58E4E58 FD831C71 4DCA58D6 0F67E7CC 44E935E3 54B10451 97D3D007
F2C899DE 2F88C2C4 25EE2017 69F4AE34 E649E915 C4ABE47A 02898D9A 9101A31F
83E10203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10434352 2D4C4C2E 4543522D 522E636F 6D301F06 03551D23
04183016 8014F2E5 D52358D8 D83AAD13 4E407D57 EEE1B1D7 619B301D 0603551D
0E041604 14F2E5D5 2358D8D8 3AAD134E 407D57EE E1B1D761 9B300D06 092A8648
86F70D01 01040500 03818100 0F7C78AD 93BE06C3 C35B20B6 7C067130 D27A2B97
B5817C0F 66D29110 6161F577 F764449A A3EB655D 715FCA32 950C27E4 973CF9C4
4316AFE0 58B8BB41 6DAE704A A2B8A451 F1533526 CC48F1CB 31C4F3A7 64103320
60766F2B F0C3DFBE 8F51767E FA702634 95A7AEFD BA122854 1F58D1BD 469D39F8
532AF3EA 1651E2AB 46CFFD22
quit
ip source-route
ip dhcp excluded-address 10.0.0.66
ip dhcp excluded-address 10.0.0.67
ip dhcp excluded-address 10.0.0.68
!
ip dhcp pool CCRPOOL
import all
network 10.0.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.0.0.138
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name ECR-R.com
no ipv6 cef
!
!
!
!
username admin privilege 15 password 7 xxxxx
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set VPNset esp-aes 256 esp-sha-hmac
!
crypto map VPNset 1 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set VPNset
match address 120
!
archive
log config
hidekeys
!
!
ip ssh port 2222 rotary 1
!
policy-map WIFI
class class-default
bandwidth percent 10
!
!
!
!
interface Loopback0
no ip address
!
interface Loopback1
ip address 172.30.40.70 255.255.255.254
!
interface Loopback9
no ip address
!
interface Tunnel0
no ip address
!
interface FastEthernet0
service-policy output WIFI
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport mode trunk
!
interface FastEthernet4
ip address xx.xx.xx.xx xx.xx.xx.xx
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map VPNset
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
ip address 10.0.0.138 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static udp 10.0.0.66 999 interface FastEthernet4 999
ip nat inside source static tcp 10.0.0.66 999 interface FastEthernet4 999
ip nat inside source static tcp 10.0.0.66 88 interface FastEthernet4 88
ip nat inside source static tcp 10.0.0.66 22 interface FastEthernet4 22
ip nat inside source list 101 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.30.40.0 0.0.0.255
access-list 101 deny ip host 172.30.40.70 172.17.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip host 172.30.40.70 any
access-list 120 permit ip host 172.30.40.70 172.17.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
access-class 10 in
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxx
login local
rotary 1
transport input ssh
!
scheduler max-task-time 5000
end

 

2 Replies 2

Hi,

About you statement:

"ip nat source inside static 10.0.0.100 172.30.40.70, i cannot ping 172.30.40.70 from the remote end."

 

Does your remote site knows how to get to 172.30.40.x, I mean, it has route?

 

"However when i set 172.30.40.70 as a loopback, i can ping from the remote end."

Do you have any dynamic routing protocol and when you put this IP as loopback does the routing protocol is advertising it so that remote site knows how to reach it?

 

Philip D'Ath
VIP Alumni
VIP Alumni
Can you ping 10.0.0.100 from your router (does 10.0.0.100 respond to pings)?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: