Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9060
Views
10
Helpful
16
Replies

site to site vpn with NAT

Go to solution
junshah22
Level 1
Level 1

‎06-18-2009 12:42 AM - edited ‎03-04-2019 05:10 AM

I am configuring site-to-site vpn with cisco routers, both ends have Live IPs,

I am following up the following document for creating the vpn, In this case VPN tunnel works fine, but the internet service stops on both ends,

I have private network inside the router and vlans are configured, Vlans must be natted to get access of internet service,

when I remove the statements, ip nat inside and ip nat outside from the inside and outside interfaces,, my tunnel goes UP and works fine,, but as soon I add the NAT commands to the respective interfaces, the tunnel goes down but internet service starts,,,

The author havn't mentioned any NAT statement,,

1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.

Router(config)#crypto isakmp policy 9

Router(config-isakmp)#hash md5

Router(config-isakmp)#authentication pre-share

2. Setup the shared key that would be used in the VPN,

Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX

where,

VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.

XXX.XXX.XXX.XXX the static public IP address of the other end.

3. Now we set lifetime for the IPSec security associations,

Router(config)#crypto ipsec security-association lifetime seconds YYYYY

where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.

4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,

Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK

where,

AAA is the access-list number

SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.

DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though the VPN link.

5. Define the transformations set that will be used for this VPN connection,

Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC

where,

SETNAME is the name of the transformations set. You can choose any name you like.

BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.

6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.

Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp

Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX

Router(config-crypto-map)#set transform-set SETNAME

Router(config-crypto-map)#match address AAA

where,

MAPNAME is a name of your choice to the crypto-map

PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.

XXX.XXX.XXX.XXX the static public IP address of the other end

SETNAME is the name of the transformations set that we configured in step 5

AAA is the number of the access-list that we created to define the traffic in step 4

7. The last step is to bind the crypto-map to the interface that connects the router to the other end.

Router(config-if)#crypto map MAPNAME

where MAPNAME is the name of the crypto-map that we defined in step 6.

Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.

Please Advise,

Regards,

Junaid

Labels:
0 Helpful
16 Replies 16

Go to solution
junshah22
Level 1
Level 1
In response to junshah22

‎07-14-2009 11:54 PM

Toshi,

Its me (Junaid) again,, I hope you are well,

I configured my site b router for site to site vpn and added your advised commands,

VPN started working fine, as well, Internet service was working too, but

these services was available to only one user while the other users on the same network subnet was unable to get access of servers as well Internet,

Means,

Servers access + Internet was working only on one PC

Is there any tcp connections problem??

Regards,

Junaid

0 Helpful

Go to solution
junshah22
Level 1
Level 1
In response to junshah22

‎08-28-2009 09:35 PM

Hi Toshi,

I configured regional office router for site-to-site vpn but having a problem,

VPN users are unable to connect to this router, I can access my servers at the other end from my PC, but unable to ping from router,, AMAZING!!!

plz see my config below for regional office,,,

sh run

Building configuration...

Current configuration : 3036 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname MTL-1811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxxxxxxxxe/

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

!

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

!

multilink bundle-name authenticated

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxxx0

username Farogh privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxxxx1

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

--More-- !

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 58.27.232.18 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap client authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 58.27.232.18

set transform-set myset

--More-- match address lanb_to_lana

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1

ip address 58.27.233.210 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.21.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip local pool ippool 192.168.56.100 192.168.56.200

--More-- ip route 0.0.0.0 0.0.0.0 58.27.233.209

!

no ip http server

no ip http secure-server

ip nat inside source list deny_vpn_go_nat interface FastEthernet1 overload

!

ip access-list extended deny_vpn_go_nat

deny ip 192.168.21.0 0.0.0.255 192.168.56.0 0.0.0.255

deny ip 192.168.21.0 0.0.0.255 192.168.74.0 0.0.0.255

deny ip 192.168.56.0 0.0.0.255 192.168.74.0 0.0.0.255

deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.56.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended lanb_to_lana

permit ip 192.168.20.0 0.0.3.255 192.168.74.0 0.0.0.255

permit ip 192.168.20.0 0.0.3.255 192.168.1.0 0.0.0.255

!

snmp-server community public RO

snmp-server community foobar RO

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

control-plane

line con 0

password 7 0xxxxxxxxxxxxx3

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card