cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1588
Views
0
Helpful
12
Replies

VPN Design issue between a 877 and a Pix

lap
Level 2
Level 2

Hi everybody,

I have a VPN design issue.I am living in Danmark

I have a 877W in Danmark and a PIX 501 in France. I want to see some videos which are on a streaming server in France. But I want to connect to the streaming server in France with a French IP and not a Danish IP.

I attach a drawing of the setup to the post:

VPNDesign.jpg

So basically I want the source IP to be 100.10.10.2 when connecting to the Media streaming server from Danmark instead of the danish IP address 80.10.10.2.

I have heard of hairpin but aparently it is not possible on Pix 501, only from version 7.0. Otherwise I don´t how I could solve this issue. Any clever ideas?

Best Regards,

Laurent

2 Accepted Solutions

Accepted Solutions

praprama
Cisco Employee
Cisco Employee

Hey,


Glad to hear back from you. SO this guide should help you in configuring a VPN between ASA and Router:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml

TO send traffic to the media server only to the VPN tunnel, you can have the crypto ACL specific to those IP address. So on your 877, the crypto ACL will be from 10.20.100.0/24 to 120.10.10.1. On the ASA, it will be from 120.10.10.1 to 10.20.100.0/24.

Also, to configure hairpinning on the ASA, you will need the following commands:

same-security-traffic permit intra-interface

nat (outside) 1 10.20.100.0 255.255.255.0

global (outside) 1 interface

Let me know if this helps!!

Regards,

Prapanch

View solution in original post

praprama
Cisco Employee
Cisco Employee

Hi Laurent,

Were you able to test the above? Is it working? If so, please do mark this thread as answered

Thanks and Regards,

Prapanch

View solution in original post

12 Replies 12

praprama
Cisco Employee
Cisco Employee

Hi Laurent,

Please correct me if i have misundestood your requirement.

So basically when you access the Media streaming server 120.10.10.1 from the Danish LAN of 10.20.100.0/24, you would like your source IPs to be translated to 100.10.10.2, and this IP actually is a Public IP assigned to the ISP router at france.

If this is the requirement, I am afraid it will not be possible. The fact being the ISP will end up routing packets destined for the IP of 100.10.10.2 to the ISP router in France when the media server replies bact to a request from you. Only way i can think of to implement this will be to setup a VPN tunnel from your PIX 501 to the ISP router in France and then route requests from there to the media streaming server. This way, the replies from the media streaming server will be routed back to the ISP router and then will be sent back via the VPN tunnel back to the LAN in Denmark.

Again, i am not sure if i have understood your requirement quite well enough, please let me know if this is indeed what you're looking to do.

Regards,

Prapanch

Hi Prapanch,

Thank you very much for your reply.

You have understood perfectly what I want.

The ISP router in France is actually a "silly" router unable to do IPsec. When you say that one way to do it is to setup a VPN tunnel from the PIX to the ISP router in France, you ment maybe from the PIX to the Cisco 877 in Danmark no?

So I should just setup a site-to site VPN between Danmark and PIX France ? can the PIX route packet to the Media streaming server then?

I have only experience with site-to-site VPN LAN-to-LAN but in this case is a bit particular because the crypto ACL which wil define which traffic should be encrypt from Danmark to France will look like that : permit tcp 10.20.100.0 0.0.0.255 host 120.10.10.1 eq 80 no?

Regards,

Laurent

praprama
Cisco Employee
Cisco Employee

Hi Laurent,


Sorry about that. Yes we can setup a site to site VPN from the 877 in Denmark to the PIX in France. And Then configure hairpinning on the PIX. The crypto ACL should be in that format but extended ACLs do not work with VPNs. So we will just have an ACL from 10.20.100.0/24 to 120.10.10.1.

What OS of PIX are you running currently? I can then let you know if this hairpinning is possible on the PIX.

Regards,

Prapanch

Hi Prapanch,

The pix is a 501 with version 6.3(5). I have read that is only possible to do hairpinn only from version 7.0 ? Is there another design solution you think?

Regards,

Laurent

well unfortunately there is no other solution

the same-security command was introduced in 7.0 codes


but if you can provide us a brief topology of your network, especiallybehind the pix

i am thinking on lines of terminating the vpn behind the pix by providing a static nat entry on pix and trying to do u turning on router

this involves changing lot of stuff just wondering if you are fine with the idea

Hey,

Unfortunately there is no other way that i can think of doing this. What devices do you have behind the PIX? We can maybe try a VPN to that device if possible and get this working then. I am not sure we can do that but just thought it might be worth a shot.

Thanks and Regards,

Prapanch

Hi both of you,

Unfortunately I have nothing behind the pix. Well I guess I will have to take an ASA back to France next time I go back there-:)

Thanks for your time and your help;-)

Regards,

Laurent

Hi both of you,

So I went back to France and installed an ASA 5505 with Version 8.2(3).

So now I guess I can configure hairpin on the ASA but I would like you to guide me regarding the configuration. So I want to configure the following:

1) From DK Cisco 877 router (in Danmark) I want to configure an IPsec l2l tunnel to the FR ASA (in France).

2)Then I want to send traffic to the IPsec tunnel with destination IP all the french IP or more specific the Media streaming server IP (in France).

  But Otherwise other traffic should go to the danish ISP and not the IPsec tunnel

My issue with the config is regarding the ASA config as I don't have that much experience with ASA. I don't know with crypto ACL to configure on both the router and the ASA what should be the  destination IP address? Also what should be the source IP address on the ASA for the crypto ACL?

I hope to hearing from you:-)

Best Regards,

Laurent

praprama
Cisco Employee
Cisco Employee

Hey,


Glad to hear back from you. SO this guide should help you in configuring a VPN between ASA and Router:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml

TO send traffic to the media server only to the VPN tunnel, you can have the crypto ACL specific to those IP address. So on your 877, the crypto ACL will be from 10.20.100.0/24 to 120.10.10.1. On the ASA, it will be from 120.10.10.1 to 10.20.100.0/24.

Also, to configure hairpinning on the ASA, you will need the following commands:

same-security-traffic permit intra-interface

nat (outside) 1 10.20.100.0 255.255.255.0

global (outside) 1 interface

Let me know if this helps!!

Regards,

Prapanch

praprama
Cisco Employee
Cisco Employee

Hi Laurent,

Were you able to test the above? Is it working? If so, please do mark this thread as answered

Thanks and Regards,

Prapanch

Hi Prapanch,

Yes I have tried and it did work with site to site. But I soon realized that when I stream to the media server in France It is not working perfectly as the media server content is using different IP. So I have just configured a EasyVPN server on the ASA.

Here is the IPsec site to site config I used on the ASA:

access-list CryptoAcl_ToMarselis extended permit ip 120.10.10.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map CryptoMap_OUT 10 match address CryptoAcl_ToMarselis
crypto map CryptoMap_OUT 10 set peer X
crypto map CryptoMap_OUT 10 set transform-set 3DES-MD5


crypto map CryptoMap_OUT interface outside

crypto isakmp enable outside


crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400


tunnel-group X type ipsec-l2l
tunnel-group X ipsec-attributes
pre-shared-key xaxcess


same-security-traffic permit intra-interface

nat (outside) 1 10.1.100.0 255.255.255.0
global (outside) 1 interface

Thanks for your help guys!

Best  Regards,

Laurent

praprama
Cisco Employee
Cisco Employee

Hey Laurent,

Glad to know we could be of help!!

Regards,

Prapanch

Review Cisco Networking for a $25 gift card