08-16-2010 11:54 AM - edited 02-21-2020 04:47 PM
Hello,
I am really stuck with configuring ipsec site-to-site vpn (hub to spoke, multiple spokes) with cisco vpn client remote access to this vpn.
The problem is with remote acces - cisco vpn client acces - I can communicate with hub lan - but I need also communication to all spoke lans from the cisco vpn client.
On the spokes there is no cisco hardware used - there are DLINK routers.
Somebody told me, it is possible to use NAT for translating remote access clients to HUB-lan-IP and so allow communication - but I am unable to configure it and get it working.
Can somebody help me please ?
Thank you
Peter
SPOKES - not cisco devices / another vendor
HUB cisco 1841 hsec:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key x address xx no-xauth
!
crypto isakmp client configuration group x
key x
pool vpnclientpool
acl 190
include-local-lan
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 1cisco
!
crypto map ETH0 client authentication list userauthen
crypto map ETH0 isakmp authorization list groupauthor
crypto map ETH0 client configuration address respond
crypto map ETH0 1 ipsec-isakmp
set peer x
set transform-set 1cisco
set pfs group2
match address 180
crypto map ETH0 10 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0/1
description $ES_WAN$
crypto map ETH0
!
ip local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
ip nat inside source list LOCAL interface FastEthernet0/1 overload
!
ip access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 any
!
access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
Solved! Go to Solution.
08-17-2010 01:29 AM
How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.
Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180
FROM:
access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Then also change the split tunnel ACL 190:
FROM:
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.
Hope that helps.
08-16-2010 02:46 PM
The crypto ACL both for the site-to-site VPN and split tunnel ACL for the Cisco VPN Client needs to be added with the respective ACL line.
Base on the configuration, I believe you have the following:
Local subnet: 192.168.7.0/24
Remote subnet: 192.168.1.0/24
VPN Client subnet: 192.168.200.0/24
ACL 180 is used for the site-to-site VPN crypto ACL, you would need to add the following:
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
On the remote DLINK router, you would also need to add the corresponding mirror image ACL:
access-list xxx permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
Then on the split tunnel ACL: 190, you would also need to add the following:
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
Hope that helps.
08-17-2010 01:16 AM
Hello,
thank you for your help. I have altered the ACLs:
ip access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 local lan – remote lan A
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client
deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 vpn client – remote lan A
permit ip 192.168.7.0 0.0.0.255 any
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 remote lan A – vpn client
access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 local lan – remote lan A
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 v pn client – remote lan A
But I cannot reach the remote lan A from the cisco vpn clients.
The remote lan routers are not cisco devices - they are low end DLINK VPN routers with web gui. I cannot configure the reverse ACL on them. I think thats the problem.
Is it somehow possible to use NAT to translate remote acces vpn clients to local lan IP and so reach the remote lan A ?
Thank you
08-17-2010 01:29 AM
How was the DLINK configured for the traffic between the site-to-site VPN subnets? Are you able to add multiple remote subnets on DLINK? If you can, then you need to add the VPN Client pool subnet.
Alternatively, if you can't add multiple subnet on DLINK router, you can change the VPN Client pool to 192.168.6.0/24, and on the crypto ACL between the site-to-site VPN, you need to change the existing ACL 180
FROM:
access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 permit ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Then also change the split tunnel ACL 190:
FROM:
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Lastly, change the DLINK remote subnet from 192.168.7.0/255.255.255.0 to 192.168.6.0/255.255.254.0.
Hope that helps.
08-17-2010 02:03 AM
WOW, it worked (6.0 network) - thank you very much, I would never get such an idea
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide