I'm using a Cisco 881 router with IOS version (Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)).
This router is used to connect a remote site (/24 network) to the company main site via a site 2 site VPN tunnel. In general the /24 network is on the LAN interface (vlan1) and the VPN tunnel is build up from the WAN interface. This works just fine.
Right now, we have a special situation and the goal is to use a Cisco 881 router doing the same just using a single interface (VPN on a stick).
In the following I will provide some more detail:
1) the remote network ist 192.168.1.0/24
2) the vlan1 interface address is 192.168.1.2
3) the DSL router IP address is 192.168.1.1
4) IP addresses 192.168.1.10 to 192.168.1.254 is used by the clients (subnet 255.255.255.0, gateway 192.168.1.2)
5) main site network 10.10.0.0/16
Could anybody tell me if this is possible? If so, could you please provide details how to do that and/or a sample configuration?
There are no VPN Clients involved. There are just normal clients in the /24 network. This network should be connectec to the main company by a site 2 site vpn tunnel. In normal situation we use the Cisco881 with the 2 interfaces (WAN / LAN) without any problem. In this special case, the Cisco 881 should be used with only a single interface.
Thanks for your reply and sorry for replying so late but I was on vacation the last 2 weeks. To better understand my question I created a little sketch (please see attached png graphik.
In addition a little description in words (as good as I could):
The clients in the remote location (networks 10.10.10.0/24) should be able to talk to clients in the near location (network 10.10.30.0 /24). The remote clients are configured to use the gateway 10.10.10.1. Data packets received on gateway 10.10.10.1 are routed directly to network 10.10.20.0/24 or to the next gateway 10.10.20.1 exept for traffic with destination address from network 10.10.30.0/24. This traffic is routeted to Cisco 881 router with ip address 10.10.10.2. Now I want this router to bild a vpn tunnel to the near location ASA with IP address 192.168.30.1.
To do that, my idea was to create a virtual interface on cisco 881 with IP address 192.168.10.1. This interface I wanted to use as VPN end point. All traffic received on 10.10.10.2 (should be traffic from network 10.10.10.0/24 to 10.10.30.0/24 only - routed to 10.10.10.2 from gateway 10.10.10.1) should on Cisco 881 be routed to 192.168.10.1. Here it should be rated as intersting traffic and cause the VPN tunnel to be created. To initiate the VPN tunnel, the virtual interface 192.168.10.1 should start talking to 192.168.30.1. Therfore, for the ip address 192.168.10.1 should be a NAT/PAT on interface 10.10.10.2.
At least, this was my idea to make this work. Unfortunatelly I failed up to now. Either I'm doing something wrong or it just isn't possible.
In the meantime I got VPN on a stick to work. However, one thing is still missing. For sure somebody here could help me with that.
After the VPN Tunnel is established, I want to configure the Router from the remote location (10.10.62.0/24) using Cisco Configuration Professional, ssh or telnet.
But I can' get access to interface vlan 1. I'm sure, that's about not having a nat for interface IP address 10.10.55.198. Extending the NAT to have ip address 10.10.55.198 nated also breaks the initiation of the vpn tunnel. How could I get this to work?
Please see my config below:
!version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname TEST ! boot-start-marker boot system flash c880data-universalk9-mz.124-24.T3.bin boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model ! no ip source-route ! ip cef no ip bootp server no ip domain lookup ip domain name domain.com no ipv6 cef ! multilink bundle-name authenticated ! ! username TESTAdmin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key xxxxxxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth ! ! crypto ipsec transform-set VPN_1 esp-des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer xxx.xxx.xxx.xxx set security-association idle-time 300 set transform-set VPN_1 match address 103 ! archive log config hidekeys ! ! ip tcp synwait-time 10 ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.252 no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 no ip address shutdown duplex auto speed auto ! interface Vlan1 ip address 10.10.55.198 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip tcp adjust-mss 1452 ip policy route-map NAT_VPN no autostate crypto map SDM_CMAP_1 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.10.55.193 permanent ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source static 10.10.55.200 10.133.66.200 ip nat inside source static 10.10.55.201 10.133.66.201 ip nat inside source static 10.10.55.202 10.133.66.202 ip nat inside source static 10.10.55.203 10.133.66.203 ip nat inside source static 10.10.55.204 10.133.66.204 ip nat inside source static 10.10.55.205 10.133.66.205 ip nat inside source static 10.10.55.206 10.133.66.206 ! no logging trap access-list 1 remark HTTP and VTY Management Access access-list 1 remark CCP_ACL Category=1 access-list 1 permit 10.10.55.192 0.0.0.15 access-list 1 permit 10.10.62.0 0.0.0.255 access-list 103 remark Interesting VPN Traffic access-list 103 remark CCP_ACL Category=4 access-list 103 permit ip 10.133.66.192 0.0.0.15 10.10.62.0 0.0.0.255 access-list 110 remark Route Interesting VPN Traffic access-list 110 remark CCP_ACL Category=1 access-list 110 permit ip 10.10.55.192 0.0.0.15 10.10.62.0 0.0.0.255 no cdp run
! ! ! ! route-map NAT_VPN permit 10 match ip address 110 set ip next-hop 192.168.1.2 ! ! control-plane ! ! line con 0 login local no modem enable line aux 0 line vty 0 4 access-class 1 in privilege level 15 login local transport input ssh ! scheduler max-task-time 5000 end
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...