05-14-2012 10:34 PM
Dear friends.. i have couple of doubts regarding the VPN connectivity .. between my site and other WAN site ...
can some one please look at below and clear my doubts ..
1. i am given with a public IP from remote site which will be my peer address...
2. on My router i dont have any puclic IP .. i have a machine inside my network which is on private IP and i am natting this private IP onto public IP from router.
3. do i need a public IP on router also ... ?if es then .. shld i go for a loopback address ...? but then how to protect my router from attachks if i put this on public IP... i have a default route on my router which points to ISP router.
4. i am using CCP to configure the same ... and error i am getting is tunnel down and routing error also ..
5. what ACL i need to create ... i just need to allow RDP .. secondly the protected network will be my inside and his inside only .. correct me if i am wrong ..
Thanks for the time and help ..
SRC Ciscoo 1800 == WAN ==> DSTN Router ==> CHKPoint VPN device
05-30-2012 12:11 PM
hi Ali/ Julio .. spent almost full day but no success... not gettign the concept right .. please check the config attached and let me know what all mistakes m doing .. its getting failed on peer connectivity...
*************************
Current configuration : 6691 bytes
!
! Last configuration change at 20:55:01 UTC Sat Jan 7 2006 by admin
! NVRAM config last updated at 20:05:28 UTC Sat Jan 7 2006 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EmtelTest
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3221256201
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3221256201
revocation-check none
rsakeypair TP-self-signed-3221256201
!
!
crypto pki certificate chain TP-self-signed-3221256201
certificate self-signed 01
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323231 32353632 3031301E 170D3036 30313032 31323032
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323132
35363230 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AE60 A8752492 A2E2B2D5 D9F8918D 4794A3C6 88FCF067 ABFEC1C8 F8F93F49
05B1B5AC 0007C720 0FB6D2D6 5F4BCABA E58EFB27 5A6DF30A 2B105A7A 931DC596
132DA42D EFA6EE1E E55256DB 6A06B499 83F96A67 72B56E00 013BA9B3 738EEE1B
29B5BBB5 C412B9BC EBB53340 E5B8623F 0A3ED669 8FE816B8 597FE945 44E827D2
4FC50203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
551D1104 0D300B82 09456D74 656C5465 7374301F 0603551D 23041830 16801405
182AE6DC 65F3A5E8 45106869 AED7F39A C64A5830 1D060355 1D0E0416 04140518
2AE6DC65 F3A5E845 106869AE D7F39AC6 4A58300D 06092A86 4886F70D 01010405
00038181 000902AC 08D682CA 91E707B5 343E8C8D 467DFAA7 D5F4FFC7 A1207346
DC5EED98 66045CF0 55EE1BD4 7F8B7B60 3CA514F2 76D3C9B9 5A87E412 2D86571C
496E09A9 59F48533 6EBE23F1 E54D913F 205E2A2E 895A7675 A31114FA 8CECE920
19FA3C7A 00989DCC 486A5E0A 1C376B0E 147878D4 7DD98C10 5F84C1DB 0C7D54EE
EFB7430A D8
quit
ip source-route
!
!
!
!
ip cef
ip name-server 196.192.81.61
ip name-server 196.192.81.62
!
!
license udi pid CISCO861-K9 sn FCZ1533C06Y
!
!
username username privilege 15 secret 5 password
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key PSK-XXYYZZ address 1.2.3.4
!
!
crypto ipsec transform-set client_Transformation ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.2.3.4
set peer 1.2.3.4
set transform-set client_Transformation
match address 100
!
!
!
!
!
interface Loopback0
ip address 196.192.80.6 255.255.255.248
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 172.30.7.194 255.255.255.252
ip access-group protect_inbound_traffic in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 10.10.11.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.30.7.193
!
ip access-list extended protect_inbound_traffic
remark IPSec Rule
permit ip host 172.17.24.169 host 10.10.11.3
permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp
permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp
permit esp host 1.2.3.4 host 172.30.7.194
permit ahp host 1.2.3.4 host 172.30.7.194
permit icmp any host 196.192.80.6
permit ip host 1.2.3.4 host 196.192.80.6
deny ip any host 196.192.80.6
!
access-list 10 remark CCP_ACL Category=16
access-list 10 permit any
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip host 10.10.11.3 host 172.17.24.169
!
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 3 0
logging synchronous
login local
!
scheduler max-task-time 5000
end
06-05-2012 06:45 AM
Good day,
Please try to add this ACL as shown below :-
access-list 110 deny ip host 10.10.11.3 host 172.17.24.169
access-list permit ip host 10.10.11.3 any
route-map test permit 10
match ip address 110
ip nat inside source route-map test interface FastEthernet4 overload
Please add the above to your router and update me.
Regards,
06-06-2012 06:11 AM
any good news
06-06-2012 09:08 AM
i managed to do dat... the only thing which changed is to use loopback as a tunnel ip .. where in my physical interface ip was getting used so i gave a command to use loopback ip as my tunnel ip ...
now one thing .. i need to give internet to this machine .. m not sure if static nat of inside machine to a public ip will work .. please advise... and idea
06-10-2012 03:44 AM
hi,
Please can you clarify your question??
06-11-2012 11:12 PM
hi ali .. requirement now is ..
1. on the tunnel my client connects to one server using RDP and they are able to do so .. but now on the same machine they have this web server configured and they want this web server to be accessed using public internet using some fqdn address/ public ip ...
2. dont know why but every morning the vppn tunnel stops functioning .. any idea why .. means client not able to connect to server ... from remote site.. any idea what i can check
06-11-2012 11:44 PM
Hi,
regarding the vpn tunnel when the client unable to connect please apply this command to check the VPN status (sh cry isa sa) so if it Active then there is no problem on the VPN.
If it is not active try to ping the server on the remote site then try to connect also apply the above command.
Also apply the below to your router:-
crypto ipsec security-association lifetime seconds 86400
06-11-2012 11:58 PM
thanks alim .. but sh cry isa sa .. it shows active sessions .. but still clients not able to connect in mrng ...
secondly so lifetime tis already given ..do u thnk its something to do with MTU or idle time
06-12-2012 02:24 AM
I didn't see the liftime on your attached configuration, so please add it and test.
Are you mean that vpn down on the morning for a while then become up again (client have access)??
06-12-2012 03:02 AM
thanks ali for the time and reply...if you are talking about this life time .. then i am having below.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
.................
two more things to share...
we were just troubleshooting the things .. and we found that on remote site device it shows tunnel up and they able to ping me .. but my site tunnel shows down ... and remote site is not able to RDP the server but able to ping.
secondly...i am getting this msg always
"
Jun 12 09:28:03.091: No peer struct to get peer description
Jun 12 09:28:03.091: No peer struct to get peer description
Jun 12 09:28:03.171: No peer struct to get peer description
Jun 12 09:28:03.171: No peer struct to get peer description
Jun 12 09:28:03.219: No peer struct to get peer description
Jun 12 09:28:03.219: No peer struct to get peer description
Jun 12 09:28:03.255: No peer struct to get peer description
Jun 12 09:28:03.255: No peer struct to get peer description
Jun 12 09:28:03.291: No peer struct to get peer description
Jun 12 09:28:03.295: No peer struct to get peer description
Jun 12 09:28:03.415: No peer struct to get peer description
"
what exactly is this ...
06-12-2012 05:36 AM
Please try to remove the below:-
ip access-group protect_inbound_traffic in from the int fa 4
ip access-list extended protect_inbound_traffic
remark IPSec Rule
permit ip host 172.17.24.169 host 10.10.11.3
permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp
permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp
permit esp host 1.2.3.4 host 172.30.7.194
permit ahp host 1.2.3.4 host 172.30.7.194
permit icmp any host 196.192.80.6
permit ip host 1.2.3.4 host 196.192.80.6
deny ip any host 196.192.80.6
After you remove the above if it isnot work also , please post the configuration of the both ends routers.
06-12-2012 05:50 AM
thanks for the reply.. id otn know why my tunnel is not consistent ... very angry ... cn you please advise one thing .. when applying acl for the tunnel what src and dstn ips will be .. will it be the private ips or the peer ips ...?
secondly can you please advise about my above error .. which i am getting ...
Jun 12 09:28:03.219: No peer struct to get peer description
.. please check previous reply...
06-12-2012 01:57 PM
Hi,
the "No peer struct to get peer description" then that means that an access-list is not configured correctly.
on the ACL you must use the private IPs not the peers
So please use the private IPs on your ACL and update me.
Hope this will help you.......
06-14-2012 02:31 AM
Any news???????????
06-14-2012 04:27 AM
i will surely update you ... now the tunnel is up .. i need one advice from you ... there is a public web site configured on the internal server and now client wants this web site to be accessed via internel .. + he wants his VPN tunnel to be intact ../ please advice how can i have both the things for the same server for which tunnel is created.
About current VPN status it gets disconnected every mrng .. and dont know what it reconnects after couple of hours .. dont know why ... my side Cisco .. remove side non cisco (Checkpoint)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: