04-19-2013 11:28 AM - edited 03-04-2019 07:39 PM
Hi,
I have setup a vpn between two sites with two cisco 861 routers.
That works.
Now one of the sites wants to use that 861 also to go to internet.
I thought just configure
ip nat inside
ip nat outside
access list 1
and all should work...
But not.
What am i doing wrong ?
The local network is 192.168.120.x / 24
the config
#sh run
Building configuration...
Current configuration : 3917 bytes
!
! Last configuration change at 17:35:30 UTC Mon Jan 2 2006 by admin
! NVRAM config last updated at 12:28:22 UTC Mon Jan 2 2006 by admin
! NVRAM config last updated at 12:28:22 UTC Mon Jan 2 2006 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blabla
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1105714830
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1105714830
revocation-check none
rsakeypair TP-self-signed-1105714830
!
!
crypto pki certificate chain TP-self-signed-1105714830
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313035 37313438 3330301E 170D3036 30313032 31323030
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31303537
31343833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9BC 5F65D961 3BDBAD30 C68D26CC A76CFF28 C6DE12A4 347DFF47 221D2B5F
4F65CFDC 0CC170FB B30BC358 2A76995A F453E842 E337D74F 0B028926 D123EC3A
D0AF04AA 2AE772E4 A0B24D5E 532BEA0C 9211F753 FC192FBC 8212A8E1 2BF57B87
85BAC889 FD5BFEA9 AB273D51 7968297C 58BD4E60 26329D6A A6DC1A1D 77112080
32390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E8F842 F9173B5E 27676BD9 20410501 B3D17620 C2301D06
03551D0E 04160414 E8F842F9 173B5E27 676BD920 410501B3 D17620C2 300D0609
2A864886 F70D0101 05050003 818100A7 591C255F 9514672C 66EABFD8 080CC11F
4964BFEF 48C5BB7F 3CA216AD B70EC44F F72958E3 7414B679 2A0401A0 1C502489
47E00093 43FA4C55 BE0612EF FE965E2E C1F48AAA 7EC1C89C C84104A2 C6AFDCF7
F7AFD743 B06D9DAC 8194F6CC 24DBB481 9D5A181A BEA68557 C841018E A71CBE8B
59C2B6A2 63272C2E 8D93973D 1DC6E2
quit
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name blabla.com
!
!
license udi pid CISCO861-K9 sn FGL165123TK
!
!
username admin
!
!
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxx address 212.201.x.x
!
!
crypto ipsec transform-set ID-SET esp-aes esp-sha-hmac
!
crypto map RTD01_ID01 10 ipsec-isakmp
set peer 212.201.x.x
set transform-set ID-SET
set pfs group2
match address 101
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 110.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map RTD01_ID01
!
interface Vlan1
description 120 network
ip address 192.168.120.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan100
ip address 192.168.121.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan121
no ip address
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 110.x.x.161
!
access-list 1 permit 192.168.120.0 0.0.0.255
access-list 23 permit 213.125.234.242
access-list 23 permit 83.81.105.169
access-list 101 permit ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255
no cdp run
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport preferred ssh
transport input ssh
!
end
Solved! Go to Solution.
04-22-2013 05:37 AM
Hi,
no access-list 100
access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
access-list 100 permit ip 192.168.121.0 0.0.0.255 any
no ip nat inside source list 100 interface Vlan1 overload
ip nat inside source list 100 interface fa4
Regards
Alain
Don't forget to rate helpful posts.
04-19-2013 12:23 PM
Hi,
access-list 100 deny ip 192.168.120.0 0.0.0.255 x.x.x.x x.x.x.x where x.x.x.x is the destination private subnet and subnet mask for the remote VPN
access-list 100 permit ip 192.168.120.0 0.0.0.255
ip nat inside source list 100 interface f4
do the same on the other router too and it will work.
Regards
Alain
Don't forget to rate helpful posts.
04-19-2013 12:32 PM
Thnx, will try it on monday..
Will let you know the feedback.
Martin
04-22-2013 12:37 AM
Hi, shoud the last line not be
ip nat inside source list 100 interface vlan1
and the line
access-list 100 permit ip 192.168.120.0 0.0.0.255
is missing info..
04-22-2013 02:52 AM
Hi,
you're correct there is something missing in the ACL
this line:
access-list 100 permit ip 192.168.120.0 0.0.0.255
should be:
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
Regards
Alain
Don't forget to rate helpful posts.
04-22-2013 03:44 AM
I did it already, but sorry still doesnt work.
So recap.
I still want to do site2site VPN, and want this 861 also to be used as nat router for internet so that pc's behind it can browse on internet.
the config now.
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 110.x.x.163 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map RTD01_ID01
!
interface Vlan1
description 120 network
ip address 192.168.120.1 255.255.255.0
interface Vlan1
description 120 network
ip address 192.168.120.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan100
ip address 192.168.121.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan121
no ip address
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 110.x.x.161
!
access-list 23 permit 213.125.234.242
access-list 23 permit 83.81.105.169
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255
no cdp run
Still pointers ?
Martin
04-22-2013 05:37 AM
Hi,
no access-list 100
access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
access-list 100 permit ip 192.168.121.0 0.0.0.255 any
no ip nat inside source list 100 interface Vlan1 overload
ip nat inside source list 100 interface fa4
Regards
Alain
Don't forget to rate helpful posts.
04-22-2013 09:58 AM
thnx it works
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide