Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN on a stick

Hi All

I'm using a Cisco 881 router with IOS version (Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T3,
RELEASE SOFTWARE (fc2)).

This router is used to connect a remote site (/24 network) to the company main site via a site 2 site VPN tunnel.  In general the /24 network is on the LAN interface (vlan1) and the VPN tunnel is build up from the WAN interface.  This works just fine.

Right now, we have a special situation and the goal is to use a Cisco 881 router doing the same just using a single interface (VPN on a stick).

In the following I will provide some more detail:

1) the remote network ist 192.168.1.0/24

2) the vlan1 interface address is 192.168.1.2

3) the DSL router IP address is 192.168.1.1

4) IP addresses 192.168.1.10 to 192.168.1.254 is used by the clients (subnet 255.255.255.0, gateway 192.168.1.2)

5) main site network 10.10.0.0/16

Could anybody tell me if this is possible?  If so, could you please provide details how to do that and/or a sample configuration?

Thanks for your help.

Stefan

Everyone's tags (4)
5 REPLIES
Cisco Employee

Re: VPN on a stick

if i understand it right u want your vpn clients to access resources on remote end via site to site tunnel

Community Member

Re: VPN on a stick

Hi

Thanks for your reply.

There are no VPN Clients involved.  There are just normal clients in the /24 network.  This network should be connectec to the main company by a site 2 site vpn tunnel.  In normal situation we use the Cisco881 with the 2 interfaces (WAN / LAN) without any problem.  In this special case, the Cisco 881 should be used with only a single interface.

Cisco Employee

Re: VPN on a stick

i dont know how your network is setup but here are general instructions

as far as vpn is concerned all you need is static route specifying .1 as the gateway and do not bring natting into picture as this traffic will not under go natting anyway

if you can briefl tell us your topology we will be in a better position to answer

Community Member

Re: VPN on a stick

Hi

Thanks for your reply and sorry for replying so late but I was on vacation the last 2 weeks.  To better understand my question I created a little sketch (please see attached png graphik.

In addition a little description in words (as good as I could):

The clients in the remote location (networks 10.10.10.0/24) should be able to talk to clients in the near location (network 10.10.30.0 /24).  The remote clients are configured to use the gateway 10.10.10.1.  Data packets received on gateway 10.10.10.1 are routed directly to network 10.10.20.0/24 or to the next gateway 10.10.20.1 exept for traffic with destination address from network 10.10.30.0/24.  This traffic is routeted to Cisco 881 router with ip address 10.10.10.2.  Now I want this router to bild a vpn tunnel to the near location ASA with IP address 192.168.30.1.

To do that, my idea was to create a virtual interface on cisco 881 with IP address 192.168.10.1.  This interface I wanted to use as VPN end point.  All traffic received on 10.10.10.2 (should be traffic from network 10.10.10.0/24 to 10.10.30.0/24 only - routed to 10.10.10.2 from gateway 10.10.10.1) should on Cisco 881 be routed to 192.168.10.1.  Here it should be rated as intersting traffic and cause the VPN tunnel to be created.  To initiate the VPN tunnel, the virtual interface 192.168.10.1 should start talking to 192.168.30.1. Therfore, for the ip address 192.168.10.1 should be a NAT/PAT on interface 10.10.10.2.

At least, this was my idea to make this work.  Unfortunatelly I failed up to now.  Either I'm doing something wrong or it just isn't possible.

Is there a way to make this work?

Community Member

Re: VPN on a stick

Hi All

In the meantime I got VPN on a stick to work.  However, one thing is still missing.  For sure somebody here could help me with that.

After the VPN Tunnel is established, I want to configure the Router from the remote location (10.10.62.0/24) using Cisco Configuration Professional, ssh or telnet.

But I can' get access to interface vlan 1.  I'm sure, that's about not having a nat for interface IP address 10.10.55.198.  Extending the NAT to have ip address 10.10.55.198 nated also breaks the initiation of the vpn tunnel.  How could I get this to work?

Please see my config below:

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TEST
!
boot-start-marker
boot system flash c880data-universalk9-mz.124-24.T3.bin
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
no ip source-route
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name domain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username TESTAdmin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth
!
!
crypto ipsec transform-set VPN_1 esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association idle-time 300
set transform-set VPN_1
match address 103
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 10.10.55.198 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map NAT_VPN
no autostate
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.55.193 permanent
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static 10.10.55.200 10.133.66.200
ip nat inside source static 10.10.55.201 10.133.66.201
ip nat inside source static 10.10.55.202 10.133.66.202
ip nat inside source static 10.10.55.203 10.133.66.203
ip nat inside source static 10.10.55.204 10.133.66.204
ip nat inside source static 10.10.55.205 10.133.66.205
ip nat inside source static 10.10.55.206 10.133.66.206
!
no logging trap
access-list 1 remark HTTP and VTY Management Access
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.10.55.192 0.0.0.15
access-list 1 permit 10.10.62.0 0.0.0.255
access-list 103 remark Interesting VPN Traffic
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.133.66.192 0.0.0.15 10.10.62.0 0.0.0.255
access-list 110 remark Route Interesting VPN Traffic
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip 10.10.55.192 0.0.0.15 10.10.62.0 0.0.0.255
no cdp run

!
!
!
!
route-map NAT_VPN permit 10
match ip address 110
set ip next-hop 192.168.1.2
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end

Many thanks in advance

Stefan

2553
Views
0
Helpful
5
Replies
CreatePlease to create content