Hey folks, I am in a quandary, and am wondering if someone on the list has done this and figured out a working config.
I've been challenged with putting a VPN together between two sites, and it shouldn't be a problem, as it seems to be a straight forward config, and I've used the example off of CCO. The problem is, I can't seem to pass traffic successfully across the VPN. :( Attached is the config for both ends of the network setup. As far as I know, as long as I've met the following criteria, this should work: 1. Both ends have to have a public static address for at least the Router. 2. Either end can have a static NAT for an extra inside host, such as a WWW server. 3. The VPN tunnel should work, no matter what type of "outside" interface the Crypto map is applied to; if regular private to public net connectivity works using NAT Overload, then End to End Tunnel termination should work so long as the access-lists are done right. This being said, this is what I got from CCO: ASCII Diagram of network scenario LAN(192.168.10.0) -- RouterHQ --(WIC1-ADSL) DSL --Internet-- SL --RouterBranchOffice--LAN (192.168.1.0) RouterHQ is assigned 5 public IPs, one assigned to the Router, 1 assigned to WWW Host via Static NAT RouterBO is assigned on public IP, which is assigned to the Router, with NAT Overload running for the hosts on the private LAN. * The description and ASCII art has been slightly modified from the CCO example only to use a WIC-1ADSL as the "Outside" interface on the HQ Router, rather than Ethernet Interfaces. Config From CCO: Daphne# service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Daphne ! memory-size iomem 10 ip subnet-zero ip audit notify log ip audit po max-events 100 ! !--- IKE policies: crypto isakmp policy 10 authentication pre-share crypto isakmp key ciscokey address 100.1.1.2 crypto ipsec transform-set to_fred esp-des esp-md5-hmac !--- IPSec policies: crypto map myvpn 10 ipsec-isakmp set peer 100.1.1.2 set transform-set to_fred !--- Include the private-network-to-private-network traffic !--- in the encryption process: match address 101 ! controller T1 0/0 shutdown ! controller T1 0/1 shutdown ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip Nat inside ip route-cache policy ip policy route-map nonat ! interface Ethernet0/1 ip address 200.1.1.2 255.255.255.0 ip Nat outside crypto map myvpn ! !--- Except the private network from the NAT process: ip Nat inside source list 122 interface Ethernet0/1 overload ip Nat inside source static 10.1.1.3 200.1.1.25 ip classless ip route 0.0.0.0 0.0.0.0 200.1.1.1 !--- Include the private-network-to-private-network traffic !--- in the encryption process: access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 101 deny ip 10.1.1.0 0.0.0.255 any !--- Except the private network from the NAT process: access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 122 deny ip host 10.1.1.3 any access-list 122 permit ip 10.1.1.0 0.0.0.255 any access-list 123 permit ip host 10.1.1.3 172.16.1.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit !--- Except the private network from the NAT process: route-map nonat permit 10 match ip address 123 set ip next-hop 1.1.1.2 ! end Fred- Router Configuration Fred# service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname fred ! memory-size iomem 10 ip subnet-zero ! ip audit notify log ip audit PO max-events 100 ! !--- IKE Policies: crypto isakmp policy 10 authentication pre-share crypto isakmp key ciscokey address 200.1.1.2 !--- IPSec Policies: crypto ipsec transform-set to_fred ESP-Des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 200.1.1.2 set transform-set to_fred !--- Include the private-network-to-private-network traffic !--- in the encryption process: match address 101 ! controller T1 1/0 shutdown ! controller T1 1/1 shutdown ! interface Ethernet0/0 ip address 172.16.1.1 255.255.255.0 ip Nat inside ! interface Ethernet0/1 ip address 100.1.1.2 255.255.255.0 ip Nat outside crypto map myvpn ! !--- Except the private network from the NAT process: ip Nat inside source list 175 pool interface Ethernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 100.1.1.1 ! !--- Include the private-network-to-private-network traffic !--- in the encryption process: access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 !--- Except the private network from the NAT process: access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 175 permit ip 172.16.1.0 0.0.0.255 any ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! end And... this is what I've done for my Routers: RouterHQ# version 12.2 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone no service password-encryption ! hostname RAMCO-Arlington ! logging count logging buffered 4096 debugging ! memory-size iomem 25 clock timezone CST -6 clock summer-time CDT recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ! ip domain-name ramco.com ip name-server 198.6.1.2 ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn address yy.yy.yy.220 ! ! crypto ipsec transform-set vpn esp-des esp-md5-hmac ! crypto map ramco-vpn 10 ipsec-isakmp set peer yy.yy.yy.220 set transform-set vpn match address 101 ! ! bridge irb ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface ATM0 mtu 1492 no ip address no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! dsl operating-mode auto no fair-queue bridge-group 1 hold-queue 224 in ! interface FastEthernet0 description connected to Private LAN Block ip address 192.168.10.1 255.255.255.0 ip directed-broadcast ip nat inside ip policy route-map nonat no ip mroute-cache no keepalive speed auto full-duplex ! interface BVI1 mtu 1492 ip address xx.xx.xx.121 255.255.255.248 ip nat outside crypto map vpn ! ip nat inside source route-map nonat interface BVI1 overload ip nat inside source static 192.168.10.122 xx.xx.xx.122 extendable ip nat inside source static 192.168.10.6 xx.xx.xx.124 extendable ip classless ip route 0.0.0.0 0.0.0.0 xx.xx.xx.126 (ISP END of circuit) no ip http server ! ! logging history debugging logging trap debugging access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 123 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 123 permit ip 192.168.10.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 123 ! snmp-server manager bridge 1 protocol ieee bridge 1 route ip ! ! ntp clock-period 17179944 ntp server 192.5.5.250 end and the other end of the tunnel..... RouterBO# version 12.2 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! hostname RouterBO ! ! clock timezone CST -6 clock summer-time CDT recurring ip subnet-zero ip domain-name vpndemo.com ip name-server 198.6.1.2 ! ip dhcp pool BigB-LAN network 192.168.1.0 255.255.255.0 dns-server 198.6.1.2 domain-name vpndemo.com netbios-name-server 192.168.1.10 netbios-node-type h-node default-router 192.168.1.1 lease infinite ! ip ssh time-out 120 ip ssh authentication-retries 3 ip dhcp-server 192.168.1.1 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn address xx.xx.xx.121 ! ! crypto ipsec transform-set vpn esp-des esp-md5-hmac ! crypto map ramco-vpn 10 ipsec-isakmp set peer xx.xx.xx.121 set transform-set vpn match address 110 ! ! ! ! interface Ethernet0 ip address yy.yy.yy.220 255.255.252.0 ip nat outside ip route-cache same-interface crypto map vpn ! interface Ethernet1 description connected to LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ! router rip version 2 passive-interface Ethernet0 network 192.168.1.0 no auto-summary ! ip nat pool 2514-nat-pool yy.yy.yy.220 yy.yy.yy.220 netmask 255.255.252.0 ip nat inside source route-map nonat pool 2514-nat-pool overload ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0 no ip http server ! logging history debugging logging trap debugging logging source-interface Ethernet0 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 150 ! ntp clock-period 17179942 ntp server 192.5.41.40 end Any insight/help you can provide would be greatly appreciated. Thanks, Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42245&t=42245 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
