Re: Route particular public IP's via site to site vpn. - Page 2

ribin.jones · ‎03-23-2010

Hi,

We have got two offices in location A and B and we have site to site vpn between the offices. We have a situation in which a software will get updated if we go only from location B's public IP. I need the same software to be updated from location A also. Is it possible for me to route a particular IP (place where the sofware update is available) thorugh location B from location A via the site to site vpn?

Any help is very much appreciated

Thanks in advance,

- Ribin

Jennifer Halim · ‎03-30-2010

Can you please share the output of "show crypto ipsec sa" in particular the SA between 192.168.11.0/24 and the website public IP. Thanks.

ribin.jones · ‎04-01-2010

Hi Halijenn,

Find the below o/p:

Let me know if this was the one you asked for.

local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (website_IP/255.255.255.255/0/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 234, #pkts encrypt: 234, #pkts digest: 234
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 32, #recv errors 0

     local crypto endpt.: , remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1/0
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

Jennifer Halim · ‎04-01-2010

Thanks. So the output is taken from location A, we are seing encrypt, ie: traffic from 192.168.11.0/24 is encrypted and sent to location B where the web server is.

Can you please grab the same output from location B? If you are seeing decrypt, but no encrypt, that means the return traffic is failing.

The failure seems to be on location B, you might want to investigate and concentrate on location B to see where it is failing.

ribin.jones · ‎04-01-2010

Find the below output from location B:

local ident (addr/mask/prot/port): (webiste_IP/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 234, #pkts decrypt: 234, #pkts verify: 234
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: , remote crypto endpt.:
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thanks

Jennifer Halim · ‎04-01-2010

OK, so the traffic gets to location B.

Do you have any ACL on location B that might be blocking the traffic? I assume you have "sysopt connection permit-vpn" enabled?

Can you share the config at location B?

ribin.jones · ‎04-01-2010

i am not sure about "sysopt connection permit-vpn" command. Location B is using Cisco 871 router. Below is the config in locn B:

.

Current configuration : 6172 bytes
!
version 12.4
no service pad

!
hostname AtlRouter
!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
!
resource policy
!

ip name-server 208.67.222.222
ip name-server 68.87.68.162
ip name-server 68.87.74.162
ip ssh time-out 60
!

!
!
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
lifetime 28800
!

crypto isakmp key ############# address no-xauth

!
crypto isakmp peer address
!
!
crypto ipsec transform-set atl2tvm esp-3des esp-sha-hmac

crypto map outside_map 6 ipsec-isakmp
set peer
set security-association lifetime seconds 28800
set transform-set atl2tvm
match address tvm

!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $WAN$
ip address 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description Internal
ip address 10.2.10.50 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
ip default-gateway
ip classless
ip route 0.0.0.0 0.0.0.0 ########
ip route 10.2.10.0 255.255.255.0 Vlan1
ip flow-export version 5
ip flow-export destination 10.2.10.118 9991
ip flow-export destination 192.168.1.100 9991
!
no ip http server
no ip http secure-server
ip nat pool atl_nat_pool netmask 255.255.255.252

ip access-list extended atl-lan
deny ip 10.2.10.0 0.0.0.255 192.168.11.0 0.0.0.255

ip access-list extended tvm
permit ip 10.2.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip host 192.168.11.0 0.0.0.255
!

route-map atlanta-map permit 10
match ip address atl-lan
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server 131.107.1.10
end

Jennifer Halim · ‎04-01-2010

I don't see NAT statement for your web server?

ribin.jones · ‎04-01-2010

Halijenn,

I think you misunderstood my requirement.There is no web server in location B. I am trying to access a website from location A through location B. (When I access this website from location A, I should get hit to the website taking location B public IP).

- Ribin

Jennifer Halim · ‎04-01-2010

Sorry, i thought you are hosting an update server at location B and would like location A to access the server's public ip address.

OK, completely misunderstand the requirement.

So to confirm, from location A, you would like to access a website on the Internet, but getting NATed with location B public ip address? If that is the case, no, it will never work. Unless you have a proxy server at locatioin B where it can proxy the connection.

ribin.jones · ‎04-01-2010

Hmm..i am already aware of the proxy server method.

So, is it that I wont be able to route 8080 traffic through VPN? What if I need to route an ftp traffic via location B from location A?

- Ribin

Jennifer Halim · ‎04-01-2010

Maybe you can do something funky with policy based routing, and routing the traffic towards a loopback interface on location B, and configure "ip nat inside" on your loopback interface, and your NAT ACL to include "permit ip 192.168.11.0 0.0.0.255 host "

ribin.jones · ‎04-01-2010

It would be a great help if you could ellaborate the steps I need to try out in locations A and B.

- Ribin

Jennifer Halim · ‎04-03-2010

I've tested in the lab, and here is what can be done:

1) Keeping the crypto ACL advised earlier on both location A and B.

2) On location B, configure PBR as follows:

-- Configure loopback interface so you can send the traffic off to the loopback to be NATed:

interface loopback1

ip address 172.18.1.1 255.255.255.252

ip nat inside

-- Configure PBR to send the traffic to the loopback interface:

access-list 120 permit ip 192.168.11.0 0.0.0.255 host

route-map NAT-A-web permit 10

match ip address 120

set ip next-hop 172.18.1.2

-- Assigned the PBR to the outside interface:

interface FastEthernet4

ip policy route-map NAT-A-web

-- Also need to add access-list for location B NATing (I assume "atl-lan" is the access-list used for NATing):

ip access-list extended atl-lan

permit ip 192.168.11.0 0.0.0.255 host

Please let us know if that works.

ribin.jones · ‎04-05-2010

I tried.... But no luck

Jennifer Halim · ‎04-05-2010

At what point does it fail?