Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
3
Replies

Cisco VPN client connection. How to NAT after connecting?

Andrew Battersby
Level 1
Level 1

‎02-23-2012 03:15 AM

Hi,

I have a Cisco 1941 which has several Cisco VPN clients connecting to it which all works fine. The details of the LAN and VPN clients are as below:

Cisco 1941 LAN : 172.16.1.0 255.255.255.0

VPN Clients : 192.168.5.0 255.255.255.0

As mentioned this works fine but I'm about to setup a point to point VPN with from the above Cisco to another site which isn't controlled by myself and the remote side of this point to point VPN will only allow connections from the "172.16.1.0" subnet to communicate with it.

The issue I have is that the Cisco VPN clients also need to communicate with the remote side of this point to point VPN but they are obviously coming from the "192.168.5.0" subnet. Is this possible and if so if anyone can offer advise on where to start with this that would be fantastic.

Thanks

Andy

Labels:
0 Helpful
3 Replies 3

rizwanr74
Level 7
Level 7

‎02-23-2012 06:36 AM

Please copy your config on the forum, along with remote Lan IP segement which will be establishing L2L vpn tunnel.

I know it is possible on the Cisco ASA or PIX firewall, but I have not done anything like this on the routers as VPN client need to access remote vpn tunnel.

I will see what I can do to help you with.

Thanks

0 Helpful

Andrew Battersby
Level 1
Level 1
In response to rizwanr74

‎02-23-2012 08:15 AM

Thanks Rizwanr74,

Unfortunately I don't have access to the remote LAN IP segment and it's not something I can get hold of either. I've only been told that the VPN client's need to go over the point to point VPN tunnel with a source of "172.16.1.X".

I've copied my current configuration below. This doesn't have the tunnel on yet but it does have the Cisco VPN client details

Building configuration...

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxxxxxxx
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.17.1.201 172.17.1.254
!
ip dhcp pool LANPOOL2
network 172.17.1.0 255.255.255.0
default-router 172.17.1.1
dns-server 208.67.222.222 208.67.220.220
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
archive
log config
  hidekeys
username xxxxx secret xxxx
username xxxxx password xxxxx

!
redundancy
!
!
!
!
!
class-map match-any VOIP
match input-interface FastEthernet0/0/0
class-map match-any Data
match input-interface GigabitEthernet0/1
!
!
policy-map QoS
class VOIP
  bandwidth percent 5
class Data
  bandwidth percent 94
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group remote
key xxxxxxxxxxx
dns 8.8.8.8
pool vpnpool
acl VPN-Traffic
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 3des
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 100 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
bandwidth 40000
ip address 1.0.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map VPN
max-reserved-bandwidth 100
service-policy output QoS
!
interface GigabitEthernet0/1
bandwidth 40000
ip address 172.17.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
max-reserved-bandwidth 100
service-policy output QoS
!
interface FastEthernet0/0/0
bandwidth 40000
ip address 172.17.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
max-reserved-bandwidth 100
service-policy output QoS
!
ip local pool vpnpool 192.168.5.1 192.168.5.100
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route 172.17.4.0 255.255.255.0 172.17.1.250
ip route 172.22.223.97 255.255.255.255 172.17.1.240
ip route 172.22.223.98 255.255.255.255 172.17.1.240
ip route 172.22.223.101 255.255.255.255 172.17.1.240
!
ip access-list extended VPN-Traffic
permit ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended nonat
permit ip 172.17.1.0 0.0.0.255 any
permit ip 172.17.2.0 0.0.0.255 any
deny   ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny   ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255
!
route-map nonat permit 10
match ip address nonat
!
control-plane
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
end

0 Helpful

rizwanr74
Level 7
Level 7
In response to rizwanr74

‎02-23-2012 11:12 AM

I would recommand, first to establish L2L vpn tunnel to remote site by reordering ACL.

ip access-list extended nonat

deny   ip 172.16.1.0 0.0.0.255 xxx.xxx.xxx.xx 0.0.0.xxx <-- xxx is your remote Lan segement

deny   ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 172.17.1.0 0.0.0.255 any

permit ip 172.17.2.0 0.0.0.255 any

Now create a Pool of IP addresses for purpose of natting.

ip nat pool LAN-pool 172.16.1.1 172.16.1.254 netmask 255.255.255.0

Create an ACL to identify source and destination, to be NATed to above pool LAN-pool

ip access-list extended ACL-POLICY-NAT

permit ip 192.168.5.0 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255 <- xxx is your remote lan segement

Now policy nat the remote vpn-client to LAN-pool created above.

ip nat inside source list ACL-POLICY-NAT pool LAN-pool overload

Now create an ACL to be used in the crypo engine as interesting traffic to be identified.

ip access-list extended ACL-L2-REMOTE-L2

permit ip 172.16.1.0 0.0.0.255 XXX.XXX.XXX.XX 0.0.0.2555 <-- xxx is your remote lan segement

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key YOUR-PASSWORD-GOES-HERE address x.x.x.x <-- XXX remote IPsec Peer public address.

crypto map VPN 200 ipsec-isakmp

set peer x.x.x.x <- XXX remote IPsec Peer public address

set transform-set 3des

match address ACL-L2-REMOTE-L2

reverse-route

ip access-list extended VPN-Traffic

permit ip 172.16.1.0 0.0.0.255 XXX.XXX.XXX.XX 0.0.0.2555 <-- xxx is your remote lan segement

permit ip 172.17.1.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 172.17.2.0 0.0.0.255 192.168.5.0 0.0.0.255

This should do it.

Let me know, how it is coming.

thanks

Rizwan Rafeek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents