Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft VPN client problem on MPLS cloud

hi,

Please refer to follwoing text for the problem description and PPT attachments.

Host (10.7.1.30) located at MPLS R1 wants to access Microsoft VPN (P.Q.R.S), but host is not able to access Microsoft VPN

The configuration is as follows :

We have configured tunnel from MPLS R1 and MPLS R2 the configuration is as follows :

(Location 1) On MPLS R1:

interface Tunnel201

ip address 10.111.1.1 255.255.255.252

ip access-group xyz out ( used to mark the packets form the host 10.7.1.30 to any )

tunnel source serial 0 ( WAN link of router -IP addrss 192.168.1.10 )

tunnel destination 192.168.10.2 ( Destination IP address of the WAN link of router R2 - Reachable from router R1-WAN IP as source )

tunnel mode ipip

end

We have configured access-list xyz as follows :

10 permit ip any host 10.7.1.30

20 permit gre any host 10.7.1.30

(Location 2 )On MPLS R2 :

interface Tunnel201

ip address 10.111.1.2 255.255.255.252

ip access-group abc out

tunnel source Serial0/0/0 ( WAN LINK Ip addrss 192.168.10.2 : Reachable from : R1WAN Link : as source Both WAN IP can ping to each other )

tunnel destination 192.168.1.10 ( WAN Link Ip of router R1 )

tunnel mode ipip

end

We have configured access-list abc as :

10 permit ip host 10.7.1.30 any ( used to classify all packets destined for 10.7.1.30)

20 permit gre host 10.7.1.30 any

On Cisco ASA Firewall (which is at location 1) :

access-list inside_access_in extended permit ip host 10.7.1.30 any (Permited all ip suite from host 10.7.1.30)

access-list inside_access_in extended permit gre host 10.7.1.30 any (Permited gre protocol from host 10.7.1.30)

IP address 10.7.1.30 is natted to one static IP Address. and then forwarded to internet router.

The packet coming from 10.7.1.30 with a destination ip address as P.Q.R.S will be under going with ip over ip encapsulation ( tunnel 201 on both routers )

On router R1 packets from 10.7.1.30 are encapsulated in IP over IP mode and when these paclets reaches R2 those are de-capsulated so the source IP of packets is still 10.7.1.30 ( destination IP can be any on the internet ). Exactly opposite takes place whe packets are forwarded to 10.7.1.30 from router R2 to Router R1.

After recieving packet with the source address as 10.7.1.30 it is natted to public ip address in ASA firewall.

After natting packet will be forwarded to internet cloud.

With this host 10.7.1.30 is able to access internet properly but with Microsoft VPN client it is not working.

Has is something to do with IP over IP encapsulation in MPLS Cloud and NAT in Cisco ASA firewall as it might change the checksum of the packet.

Please share the experience thanks in advance.

Subodh

246
Views
0
Helpful
0
Replies