topic Re: IPSEC pass-through on Cisco 857 in Network Security

IPSEC pass-through on Cisco 857

elias.manchon — Fri, 21 Feb 2020 10:57:22 GMT

Hello Folks!!

I have adquired reciently a Cisco 857 router. I want to do a VPN site to site.

I have configured the interface ATM0.1 with "ip unnumbered" to VLAN 1. I haven't configured the router to enable NAT or PAT. The VLAN 1 is configured with one Ip public Address of my ISP. Behind the cisco router, I have a Zywall 5, this device is my VPN gateway. Initially, it works fine with other soho router but it blocked often, for this reason, I decided to change this one for a cisco router.

My problem now is that the router cisco doesn't permit the VPN establishment.

Do I need enable IPSEC pass-through?, How can I do this?

Thanks in advance!!

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 06:10:20 GMT

Can you provide more details here:

What device is used on the opposite site to terminate the device, Cisco?

NAT Traversal (NAT-T) is turned ON the IOS by default starting with 12.2(13)T.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

If the other side is ASA/PIX/VPNC you need to turn it on.

Regards

Farrukh

Regards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 06:48:20 GMT

No, my device in opposite side is Zywall 10. I don't want to use NAT on my cisco router. I'm using routing without NAT. I have two addresses IP provided by my ISP, the first is my address gateway, this address is configured on my cisco router, and the second address is my public address IP, this address is configured in the zywall 5. the gateway of my zywall 5 is the interface ethernet of my cisco router. this configuration works fine and I can navigate with explorer. My problem is when I try to establish a tunnel IPSEC.

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 06:52:28 GMT

Other thing. All examples about IPSEC passthrought tha I can see is with NAT/PAT.

My question:

Do I Need enable NAT/PAT on my router to works IPSEC passthrough?

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 06:59:59 GMT

Oh you mean IPSEC passthrough and not NAT Traversal. Can you give more details about your IP addressing ? Router Internet interface has what IP? Public Private?

Router LAN interface has local IP? Then howcome the device at the back has a public IP?

Regards, Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 07:26:28 GMT

Hi Farruh,

I have the next scenary:

LAN -- Zywall -- Cisco 857 -- INTERNET

The Cisco 857 have the next configuration on its interfaces:

Interface ATM:

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

interface ATM0.1 point-to-point

bandwidth 2016

ip unnumbered Vlan1

pvc 8/32

encapsulation aal5snap

protocol ip inarp

interface VLAN 1

interface Vlan1

ip address XXX.XXX.XXX.XXX 255.255.255.192

hold-queue 100 out

Zywall 5:

WAN Ip Address:

IP: YYY.YYY.YYY.YYY

netmask: 255.255.255.192

Gateway: XXX.XXX.XXX.XXX

YYY.YYY.YYY.YYY and the IP Address XXX.XXX.XXX.XXX are provided my telecom provider.

Thanks in Advance!!

I haven't ACLs by the moment. I suppose that my router is passing all traffic at behind device (Zywall).

Greetings.

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 07:39:47 GMT

Ok thanks for the detailed post. Its pretty clear now. You had a cheap SOHO DSL Modem, you removed that and are now using your Cisco router to terminate the DSL link. You are right by default there are no ACLs on Cisco router(s). IF there are no ACLs/PAT then there is no need for ESP passthrough. That is required when you are going to the internet via PAT. All LAN users have local IP and they are overloaded/PATTED to outside (wan) interface. In your case your VPN termination device (Zywall 5) has public IP. There is no NAT/PAT or ACL. In simple words VPN should work 🙂

Perhaps you have some NAT configuration on your router for LAN user to access the Internet? Can you post that?

You are missing something else....

Is it possible to debug on the ZYwall?

Or see the phase 2 packets.encr/decr...

Regards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 08:15:52 GMT

Thanks four your.

Farrukh, Upload my Cisco setup.

The Log of my Zywall when I try to establish a tunnel IPSEC handly, is the next:

1 2008-08-07 10:01:47 IKE Packet Retransmit IKE

2 2008-08-07 10:01:47 The cookie pair is : ----

3 2008-08-07 10:01:44 IKE Negotiation is in process --- --- IKE

4 2008-08-07 10:01:44 The cookie pair is : ----

5 2008-08-07 10:01:43 Send:[SA][VID][VID][VID] ----

6 2008-08-07 10:01:43 The cookie pair is : ----

7 2008-08-07 10:01:43 Send Main Mode request to [XXX.XXX.XXX.XXX] --- IKE

8 2008-08-07 10:01:43 Rule [VPN] Sending IKE request ---- IKE

9 2008-08-07 10:01:43 The cookie pair is : ----

10 2008-08-07 10:01:40 IKE Packet Retransmit ---- IKE

11 2008-08-07 10:01:40 The cookie pair is : ----

12 2008-08-07 10:01:24 IKE Packet Retransmit ---- IKE

13 2008-08-07 10:01:24 The cookie pair is : ---- IKE

14 2008-08-07 10:01:21 IKE Packet Retransmit ---- IKE

15 2008-08-07 10:01:21 The cookie pair is : ----

However, If I replace my cisco router by the old router, the tunnel is established. Therefore, the problem not is on the zywall, really?.

Thanks

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 08:46:00 GMT

Can you ping the Public IP of the other Zywall 10 from your Zywall 5 (not from the router)?

Is the LAN interface IP of the router set as the default gateway of your ZYwall? Can you double check? Can it ping this default gateway?

Regards =

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 09:03:36 GMT

Hi Farrukh,

The problem is resolved. Simply, rebooting the Zywall the problem is resolved. For this things... I love cisco more every day.

This issue, with cisco don't had happened.

Greetings.

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 09:09:05 GMT

Most probably it had the ARP entry for the old DSL modem (SOHO) 🙂

Please rate if helpful

Regards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 09:18:14 GMT

The last Question.

What is the interface where I must put my ACLs to permit the establishment between the two end points, on my router cisco 857?. Initially I have putted this ACL on the VLAN 1 interface, inbound direction.

Greetings.

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 09:19:54 GMT

This will cover only the 'outbound' traffic.

For inbound traffic (from the internet), apply it on the ATM sub-interface.

Regards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 09:40:47 GMT

In spite of "Ip unnumbered" of this interface?

Just, I want to control the traffic from internet only.

I have configured the next ACLs, but it not works, anyone can pass traffic from internet through cisco router.

These are my ACLs:

access-list 101 permit ip host xxx.xxx.xxx.xxx any

access-list 101 permit ip host yyy.yyy.yyy.yyy any

access-list 101 permit ip host zzz.zzz.zzz.zzz any

access-list 101 deny ip any any

I have on ATM subinterface:

ip access-group 101 in

Greetings!!

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 10:43:57 GMT

If you do 'show access-list' (do you see any hits hitcnt = xx at the end of the ACL line?)

Also change the last line to:

access-list 101 deny ip any any log

and see what you get.

Rgards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 13:02:35 GMT

Hi Farrukh,

Sorry, but where I see the log of rule "access-list 101 deny ip any any log"?

Thanks again.

Re: IPSEC pass-through on Cisco 857

Farrukh Haroon — Thu, 07 Aug 2008 13:09:02 GMT

If you login via console:

logging console 7

If you login via telnet:

logging monitor 7

terminal monitor

Regards

Farrukh

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 13:17:23 GMT

ok, ok, I have seen that it appears in console.

Greetings.

Re: IPSEC pass-through on Cisco 857

elias.manchon — Thu, 07 Aug 2008 14:09:48 GMT

Thanks for all,

it's working fine now.

Greetings!!.