site to site tunnel between to WAN locations - Page 2

JATINDER KUMAR · ‎05-14-2012

Dear friends.. i have couple of doubts regarding the VPN connectivity .. between my site and other WAN site ...

can some one please look at below and clear my doubts ..

1. i am given with a public IP from remote site which will be my peer address...

2. on My router i dont have any puclic IP .. i have a machine inside my network which is on private IP and i am natting this private IP onto public IP from router.

3. do i need a public IP on router also ... ?if es then .. shld i go for a loopback address ...? but then how to protect my router from attachks if i put this on public IP... i have a default route on my router which points to ISP router.

4. i am using CCP to configure the same ... and error i am getting is tunnel down and routing error also ..

5. what ACL i need to create ... i just need to allow RDP .. secondly the protected network will be my inside and his inside only .. correct me if i am wrong ..

Thanks for the time and help ..

SRC Ciscoo 1800 == WAN ==> DSTN Router ==> CHKPoint VPN device

JATINDER KUMAR · ‎05-30-2012

hi Ali/ Julio .. spent almost full day but no success... not gettign the concept right .. please check the config attached and let me know what all mistakes m doing .. its getting failed on peer connectivity...

*************************

Current configuration : 6691 bytes

!

! Last configuration change at 20:55:01 UTC Sat Jan 7 2006 by admin

! NVRAM config last updated at 20:05:28 UTC Sat Jan 7 2006 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname EmtelTest

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3221256201

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3221256201

revocation-check none

rsakeypair TP-self-signed-3221256201

!

crypto pki certificate chain TP-self-signed-3221256201

certificate self-signed 01

30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323231 32353632 3031301E 170D3036 30313032 31323032

35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323132

35363230 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100AE60 A8752492 A2E2B2D5 D9F8918D 4794A3C6 88FCF067 ABFEC1C8 F8F93F49

05B1B5AC 0007C720 0FB6D2D6 5F4BCABA E58EFB27 5A6DF30A 2B105A7A 931DC596

132DA42D EFA6EE1E E55256DB 6A06B499 83F96A67 72B56E00 013BA9B3 738EEE1B

29B5BBB5 C412B9BC EBB53340 E5B8623F 0A3ED669 8FE816B8 597FE945 44E827D2

4FC50203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603

551D1104 0D300B82 09456D74 656C5465 7374301F 0603551D 23041830 16801405

182AE6DC 65F3A5E8 45106869 AED7F39A C64A5830 1D060355 1D0E0416 04140518

2AE6DC65 F3A5E845 106869AE D7F39AC6 4A58300D 06092A86 4886F70D 01010405

00038181 000902AC 08D682CA 91E707B5 343E8C8D 467DFAA7 D5F4FFC7 A1207346

DC5EED98 66045CF0 55EE1BD4 7F8B7B60 3CA514F2 76D3C9B9 5A87E412 2D86571C

496E09A9 59F48533 6EBE23F1 E54D913F 205E2A2E 895A7675 A31114FA 8CECE920

19FA3C7A 00989DCC 486A5E0A 1C376B0E 147878D4 7DD98C10 5F84C1DB 0C7D54EE

EFB7430A D8

quit

ip source-route

!

ip cef

ip name-server 196.192.81.61

ip name-server 196.192.81.62

!

license udi pid CISCO861-K9 sn FCZ1533C06Y

!

username username privilege 15 secret 5 password

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key PSK-XXYYZZ address 1.2.3.4

!

crypto ipsec transform-set client_Transformation ah-sha-hmac esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to1.2.3.4

set peer 1.2.3.4

set transform-set client_Transformation

match address 100

!

interface Loopback0

ip address 196.192.80.6 255.255.255.248

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 172.30.7.194 255.255.255.252

ip access-group protect_inbound_traffic in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 10.10.11.1 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.30.7.193

!

ip access-list extended protect_inbound_traffic

remark IPSec Rule

permit ip host 172.17.24.169 host 10.10.11.3

permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp

permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp

permit esp host 1.2.3.4 host 172.30.7.194

permit ahp host 1.2.3.4 host 172.30.7.194

permit icmp any host 196.192.80.6

permit ip host 1.2.3.4 host 196.192.80.6

deny ip any host 196.192.80.6

!

access-list 10 remark CCP_ACL Category=16

access-list 10 permit any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip host 10.10.11.3 host 172.17.24.169

!

control-plane

!

line con 0

logging synchronous

login local

no modem enable

line aux 0

line vty 0 4

exec-timeout 3 0

logging synchronous

login local

!

scheduler max-task-time 5000

end

Ali Bahnam · ‎06-05-2012

Good day,

Please try to add this ACL as shown below :-

access-list 110 deny ip host 10.10.11.3 host 172.17.24.169

access-list permit ip host 10.10.11.3 any

route-map test permit 10

match ip address 110

ip nat inside source route-map test interface FastEthernet4 overload

Please add the above to your router and update me.

Regards,

Ali Bahnam · ‎06-06-2012

any good news

JATINDER KUMAR · ‎06-06-2012

i managed to do dat... the only thing which changed is to use loopback as a tunnel ip .. where in my physical interface ip was getting used so i gave a command to use loopback ip as my tunnel ip ...

now one thing .. i need to give internet to this machine .. m not sure if static nat of inside machine to a public ip will work .. please advise... and idea

Ali Bahnam · ‎06-10-2012

hi,

Please can you clarify your question??

JATINDER KUMAR · ‎06-11-2012

hi ali .. requirement now is ..

1. on the tunnel my client connects to one server using RDP and they are able to do so .. but now on the same machine they have this web server configured and they want this web server to be accessed using public internet using some fqdn address/ public ip ...

2. dont know why but every morning the vppn tunnel stops functioning .. any idea why .. means client not able to connect to server ... from remote site.. any idea what i can check

Ali Bahnam · ‎06-11-2012

Hi,

regarding the vpn tunnel when the client unable to connect please apply this command to check the VPN status (sh cry isa sa) so if it Active then there is no problem on the VPN.

If it is not active try to ping the server on the remote site then try to connect also apply the above command.

Also apply the below to your router:-

crypto ipsec security-association lifetime seconds 86400

JATINDER KUMAR · ‎06-11-2012

thanks alim .. but sh cry isa sa .. it shows active sessions .. but still clients not able to connect in mrng ...

secondly so lifetime tis already given ..do u thnk its something to do with MTU or idle time

Ali Bahnam · ‎06-12-2012

I didn't see the liftime on your attached configuration, so please add it and test.

Are you mean that vpn down on the morning for a while then become up again (client have access)??

JATINDER KUMAR · ‎06-12-2012

thanks ali for the time and reply...if you are talking about this life time .. then i am having below.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

.................

two more things to share...

we were just troubleshooting the things .. and we found that on remote site device it shows tunnel up and they able to ping me .. but my site tunnel shows down ... and remote site is not able to RDP the server but able to ping.

secondly...i am getting this msg always

"

Jun 12 09:28:03.091: No peer struct to get peer description

Jun 12 09:28:03.171: No peer struct to get peer description

Jun 12 09:28:03.219: No peer struct to get peer description

Jun 12 09:28:03.255: No peer struct to get peer description

Jun 12 09:28:03.291: No peer struct to get peer description

Jun 12 09:28:03.295: No peer struct to get peer description

Jun 12 09:28:03.415: No peer struct to get peer description

"

what exactly is this ...

Ali Bahnam · ‎06-12-2012

Please try to remove the below:-

ip access-group protect_inbound_traffic in from the int fa 4

ip access-list extended protect_inbound_traffic

remark IPSec Rule

permit ip host 172.17.24.169 host 10.10.11.3

permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp

permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp

permit esp host 1.2.3.4 host 172.30.7.194

permit ahp host 1.2.3.4 host 172.30.7.194

permit icmp any host 196.192.80.6

permit ip host 1.2.3.4 host 196.192.80.6

deny ip any host 196.192.80.6

After you remove the above if it isnot work also , please post the configuration of the both ends routers.

JATINDER KUMAR · ‎06-12-2012

thanks for the reply.. id otn know why my tunnel is not consistent ... very angry ... cn you please advise one thing .. when applying acl for the tunnel what src and dstn ips will be .. will it be the private ips or the peer ips ...?

secondly can you please advise about my above error .. which i am getting ...

Jun 12 09:28:03.219: No peer struct to get peer description

.. please check previous reply...

Ali Bahnam · ‎06-12-2012

Hi,

the "No peer struct to get peer description" then that means that an access-list is not configured correctly.

on the ACL you must use the private IPs not the peers

So please use the private IPs on your ACL and update me.

Hope this will help you.......

Ali Bahnam · ‎06-14-2012

Any news???????????

JATINDER KUMAR · ‎06-14-2012

i will surely update you ... now the tunnel is up .. i need one advice from you ... there is a public web site configured on the internal server and now client wants this web site to be accessed via internel .. + he wants his VPN tunnel to be intact ../ please advice how can i have both the things for the same server for which tunnel is created.

About current VPN status it gets disconnected every mrng .. and dont know what it reconnects after couple of hours .. dont know why ... my side Cisco .. remove side non cisco (Checkpoint)