Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Route particular public IP's via site to site vpn.

Hi,

We have got two offices in location A and B and we have site to site vpn between the offices. We have a situation in which a software will get updated if we go only from location B's public IP. I need the same software to be updated from location A also. Is it possible for me to route a particular IP (place where the sofware update is available) thorugh location B from location A via the site to site vpn?

Any help is very much appreciated

Thanks in advance,

- Ribin

30 REPLIES
New Member

Re: Route particular public IP's via site to site vpn.

No replies?

- Ribin

New Member

Re: Route particular public IP's via site to site vpn.

Is there any solution for this? I am not sure whether this could be done even...Please help me on this...

- Ribin

Re: Route particular public IP's via site to site vpn.

Routing the Public IP thorugh the VPN tunnel will not work because it is not in your vpn encryption domain.

You will have to policy based NAT at site B and site A.

And then add the public IP in the encrption domain at sites A and B.

But this will compliacte your setup and would require lot of changes at both ends.

An alternative easier option would be to use a proxy server (like squid) at site A, so that users at site B can use the proxy to get the software updates.

New Member

Re: Route particular public IP's via site to site vpn.

Thanks a ton for the response.

Yes, I am aware of the Proxy server method. But I need to do this proxy independent. Can you explain the first step?

- Ribin

New Member

Re: Route particular public IP's via site to site vpn.

Dear Ribin,

Can you explain what do you mean by updating a software from location B public IP ? I mean where is this software ? at location A or B ? a diagrm will certainly help here :-)

Cisco Employee

Re: Route particular public IP's via site to site vpn.

Please advise what device is your VPN termination point.

New Member

Re: Route particular public IP's via site to site vpn.

Hi,

VPN is done in Cisco 2811 router in location A and in Cisco 871/Cisco 2801 (done in both routers- any one of the two will do the job for me) in location B.

By updating a software from location B public IP means, I need to access a website from location A using location B's public IP. (Route traffic to that website from location A to location B via VPN and I should get hit to that website taking location B's public IP.)

- Ribin

New Member

Re: Route particular public IP's via site to site vpn.

Dear Ribin, now it clears, sorry if its bothering but now can you repeat as to what you actually want now :-) ?

Currently you have a software that gets updated from a website only when accessed from location B IP ? is that correct ?

The picture i am having is, you have internet on location A and B. You have a dedication link between both these locations.

Correct me if i am wrong anywhere

New Member

Re: Route particular public IP's via site to site vpn.

My mistake, there dont seems to be internet connection on location A. :-)

It actually depends on routing. you need to do (and verify) the following

1) The software IP can reach website either though static or default route. Make sure router on location A as appropriate route to reach this website(either static or default route)

2) You must be doing Natting, so add the ip of this software in natting statement (probably access-list) so that it can now reach internet.

3) Make sure you have a return route from location B to location A for this software IP.

If the above parts are in place then its quite easy :-)

New Member

Re: Route particular public IP's via site to site vpn.

I have Internet connection in location A and location B. I have done site to site vpn to connect these offices.

- Ribin

Cisco Employee

Re: Route particular public IP's via site to site vpn.

If it's a router, then it's easy.

Just add crypto ACL as follows:

On location A:

- permit ip host

On location B:

- permit ip host

Hope that helps.

New Member

Re: Route particular public IP's via site to site vpn.

Hi,

No luck. I am getting hits to the crypto acl in location A. But I am not able to pull the site.

Just to clarify, what you mean by "public-ip-of-server-B"in your explanation? ... I guess it is the public IP of the site which I need to get via location B public IP.

- Ribin

New Member

Re: Route particular public IP's via site to site vpn.

Hi,

Infact when I ping to the website from location A, I get hits in Location A and Location B crypto ACL's.

Below is my crypto ACL's in locations A and B.

In Location A,

permit ip 192.168.11.0 0.0.0.255 host

In Location B,

permit ip host 192.168.11.0 0.0.0.255

- Ribin

New Member

Re: Route particular public IP's via site to site vpn.

Any solution to my problem?

- Ribin

Cisco Employee

Re: Route particular public IP's via site to site vpn.

Can you please share the output of "show crypto ipsec sa" in particular the SA between 192.168.11.0/24 and the website public IP. Thanks.

New Member

Re: Route particular public IP's via site to site vpn.

Hi Halijenn,

Find the below o/p:

Let me know if this was the one you asked for.

local  ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (website_IP/255.255.255.255/0/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 234, #pkts encrypt: 234, #pkts digest: 234
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 32, #recv errors 0

     local crypto endpt.: , remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

Cisco Employee

Re: Route particular public IP's via site to site vpn.

Thanks. So the output is taken from location A, we are seing encrypt, ie: traffic from 192.168.11.0/24 is encrypted and sent to location B where the web server is.

Can you please grab the same output from location B? If you are seeing decrypt, but no encrypt, that means the return traffic is failing.

The failure seems to be on location B, you might want to investigate and concentrate on location B to see where it is failing.

New Member

Re: Route particular public IP's via site to site vpn.

Find the below output from location B:

local  ident (addr/mask/prot/port): (webiste_IP/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 234, #pkts decrypt: 234, #pkts verify: 234
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: , remote crypto endpt.:
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Thanks

Cisco Employee

Re: Route particular public IP's via site to site vpn.

OK, so the traffic gets to location B.

Do you have any ACL on location B that might be blocking the traffic? I assume you have "sysopt connection permit-vpn" enabled?

Can you share the config at location B?

New Member

Re: Route particular public IP's via site to site vpn.

i am not sure about "sysopt connection permit-vpn" command. Location B is using Cisco 871 router. Below is the config in locn B:

.

Current configuration : 6172 bytes
!
version 12.4
no service pad

!
hostname AtlRouter
!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
!
resource policy
!

ip name-server 208.67.222.222
ip name-server 68.87.68.162
ip name-server 68.87.74.162
ip ssh time-out 60
!

!
!
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
lifetime 28800
!

crypto isakmp key ############# address no-xauth

!
crypto isakmp peer address
!
!
crypto ipsec transform-set atl2tvm esp-3des esp-sha-hmac

crypto map outside_map 6 ipsec-isakmp
set peer
set security-association lifetime seconds 28800
set transform-set atl2tvm
match address tvm

!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $WAN$
ip address 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description Internal
ip address 10.2.10.50 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
ip default-gateway
ip classless
ip route 0.0.0.0 0.0.0.0 ########
ip route 10.2.10.0 255.255.255.0 Vlan1
ip flow-export version 5
ip flow-export destination 10.2.10.118 9991
ip flow-export destination 192.168.1.100 9991
!
no ip http server
no ip http secure-server
ip nat pool atl_nat_pool netmask 255.255.255.252

ip access-list extended atl-lan
deny   ip 10.2.10.0 0.0.0.255 192.168.11.0 0.0.0.255

ip access-list extended tvm
permit ip 10.2.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip host 192.168.11.0 0.0.0.255
!


route-map atlanta-map permit 10
match ip address atl-lan
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server 131.107.1.10
end

Cisco Employee

Re: Route particular public IP's via site to site vpn.

I don't see NAT statement for your web server?

New Member

Re: Route particular public IP's via site to site vpn.

Halijenn,

I think you misunderstood my requirement.There is no web server in location B. I am trying to access a website from location A through location B. (When I access this website from location A, I should get hit to the website taking location B public IP).

- Ribin

Cisco Employee

Re: Route particular public IP's via site to site vpn.

Sorry, i thought you are hosting an update server at location B and would like location A to access the server's public ip address.

OK, completely misunderstand the requirement.

So to confirm, from location A, you would like to access a website on the Internet, but getting NATed with location B public ip address? If that is the case, no, it will never work. Unless you have a proxy server at locatioin B where it can proxy the connection.

New Member

Re: Route particular public IP's via site to site vpn.

Hmm..i am already aware of the proxy server method.

So, is it that I wont be able to route 8080 traffic through VPN? What if I need to route an ftp traffic via location B from location A?

- Ribin

Cisco Employee

Re: Route particular public IP's via site to site vpn.

Maybe you can do something funky with policy based routing, and routing the traffic towards a loopback interface on location B, and configure "ip nat inside" on your loopback interface, and your NAT ACL to include "permit ip 192.168.11.0 0.0.0.255 host "

New Member

Re: Route particular public IP's via site to site vpn.

It would be a great help if you could ellaborate the steps I need to try out in locations A and B.

- Ribin

Cisco Employee

Re: Route particular public IP's via site to site vpn.

I've tested in the lab, and here is what can be done:

1) Keeping the crypto ACL advised earlier on both location A and B.

2) On location B, configure PBR as follows:

-- Configure loopback interface so you can send the traffic off to the loopback to be NATed:

interface loopback1

     ip address 172.18.1.1 255.255.255.252

     ip nat inside

-- Configure PBR to send the traffic to the loopback interface:

access-list 120 permit ip 192.168.11.0 0.0.0.255 host

route-map NAT-A-web permit 10

     match ip address 120

     set ip next-hop 172.18.1.2

-- Assigned the PBR to the outside interface:

interface FastEthernet4

     ip policy route-map NAT-A-web

-- Also need to add access-list for location B NATing (I assume "atl-lan" is the access-list used for NATing):

ip access-list extended atl-lan

     permit ip 192.168.11.0 0.0.0.255 host

Please let us know if that works.

New Member

Re: Route particular public IP's via site to site vpn.

I tried.... But no luck

Cisco Employee

Re: Route particular public IP's via site to site vpn.

At what point does it fail?

2010
Views
0
Helpful
30
Replies
CreatePlease login to create content