Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
Raevmi

Site to Site VPN

Recommended Posts

Hi Guys,

 

I have two routers ( 851W and 1812W) that are connected to internet en n different locations

I tried to make a site to site VPN connection but it's not working. Even the phase one is not etabilished

Can someone look in to the config of both routers en tell me waht I did wrong ? Becouse I don't see it anymore :(

 

Both routers have internet connection and the can ping each other

 

Config cisco 1812


!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key vpntest address OUTSIDE IP remote
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac 
!
crypto ipsec profile VPN
set transform-set VPN 
!
!
crypto map VPN 10 ipsec-isakmp 
set peer OUTSIDE IP remote
set transform-set VPN 
match address VPNTUNNEL
!
bridge irb
!
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
encryption mode ciphers aes-ccm 
!
encryption vlan 20 mode ciphers aes-ccm 
!
ssid Cisco 1812 (Radek)
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description CONNECTED_TO_INTERNET
ip address static IP
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed 100
crypto map VPN
!
interface FastEthernet12
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
shutdown
!
interface FastEthernet2
description PC
switchport access vlan 20
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet3
description N_CONNECTION
switchport access vlan 20
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet4
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet5
spanning-tree portfast
!
interface FastEthernet6
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet7
spanning-tree portfast
!
interface FastEthernet8
spanning-tree portfast
!
interface FastEthernet9
spanning-tree portfast
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Vlan20
description *LAN*
no ip address
bridge-group 20
bridge-group 20 spanning-disabled
!
interface BVI20
description INTERNAL
ip address 172.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 172.168.1.0 0.0.0.255
!
ip access-list extended VPNTUNNEL
permit ip 172.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255


no cdp run
!
!
!
!
control-plane
!
bridge 20 protocol ieee
bridge 20 route ip
!
line con 0
logging synchronous
login authentication Check
transport output telnet
line aux 0
logging synchronous
login authentication Check
transport output telnet
line vty 0 4
access-class ssh-access in
logging synchronous
login authentication Check
transport input telnet ssh
!
scheduler interval 500
end

 

Config Cisco851

 

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key vpntest address remote outside IP
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac 
!
crypto ipsec profile VPN
set transform-set VPN 
!
!
crypto map VPN 10 ipsec-isakmp 
set peer remote outside IP
set transform-set VPN 
match address VPNTUNNEL
!
archive
log config
 hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface FastEthernet4
description *INTERNET*
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN

!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm 
!
encryption mode ciphers aes-ccm 
!
ssid Cisco851
!        
speed basic-36.0 basic-48.0 basic-54.0
channel 2457
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
description *LAN*
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!

ip nat translation timeout 3600
ip nat inside source list 1 interface FastEthernet4 overload

!
ip access-list extended VPNTUNNEL
permit ip 172.16.1.0 0.0.0.255 172.168.1.0 0.0.0.255
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

!
line con 0
access-class 1 in
login authentication Check
no modem enable
transport output telnet
line aux 0
login authentication Check
transport output telnet
line vty 0 4
login authentication Check
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

 

thanks

Edited by Raevmi

Share this post


Link to post
Share on other sites

Hi,

 

Two things to be noticed, actually three:

 

1. Config seems ok, except NAT_exempt

2. For NAT_exempt you need to modify your NAT_access-list on both routers.

E.g for 1st router

access-list extended NAT deny ip 172.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list extended NAT permit ip 172.168.0.0 0.0.0.255 any

 

ip nat inside source list NAT interface ___

 

3. When you "insert" the PSK watch out for not inserting any spaces in the PSK!

 

What does show crypto isakmp sa show?

Edited by laf_c

Share this post


Link to post
Share on other sites

Damn that I overlook this. Damn, damn damn

 

This did the trick

 

access-list extended NAT deny ip 172.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list extended NAT permit ip 172.168.0.0 0.0.0.255 any

 

Thanks

Share this post


Link to post
Share on other sites

I have just a final qouestion.

 

I have just setup a server. To manage the server form outside the network I just add en static route to it just like:

 

ip nat inside source static tcp 172.168.1.3 3389 OUSIDE IP 3389 extendable 

 

Nou having SiteToSite VPN it's not possible to make an RDP session directly to the server on IP 172.168.1.3

When I delete

ip nat inside source static tcp 172.168.1.3 3389 OUTSIDE IP 3389 extendable 

the RDP working internaly but not external.

How can I manage that the both are aviable ?

 

Thanks

Share this post


Link to post
Share on other sites

Hi:

 

What are the access-list for nat exempt you configured?, maybe you are including that machine in the IPSec tunnel.

 

Regards!

Share this post


Link to post
Share on other sites

I have just a final qouestion.

 

I have just setup a server. To manage the server form outside the network I just add en static route to it just like:

 

ip nat inside source static tcp 172.168.1.3 3389 OUSIDE IP 3389 extendable 

 

Nou having SiteToSite VPN it's not possible to make an RDP session directly to the server on IP 172.168.1.3

When I delete

ip nat inside source static tcp 172.168.1.3 3389 OUTSIDE IP 3389 extendable 

the RDP working internaly but not external.

How can I manage that the both are aviable ?

 

Thanks

 

I don t get what you seek.

First of all this is not a "static route", just a DNAT or more popular port forward. Now specify from where do you need to connect and to what destination.

Share this post


Link to post
Share on other sites

Hi all,

 

Thanks for all the reply's.

 

@ laf_C what was I thinking with Static Route????

Damn to many hours behind the CLI :)

 

Ok but anyway I get my problem solved.

I changed the DNAT to the following and it's working

I can now rech the server from the inside en outside

 

ip nat inside source static tcp 172.168.1.3 3389 OUTSIDEIP 3389 route-map NONAT

 

Thanks again

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×