12-06-2012 07:07 PM - edited 03-04-2019 06:20 PM
Hi,
We have configured CPN in our Cisco 2911 router. I have 4 VLAN in my network. I sucessfully created the tunnels. From 1 VLAN I can able to access the resouces through VPN and not from other VLAN. Below is the configuration of my router. Any one suugest how to configure this.
crypto logging ezvpn
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXX address XXXXXXXX no-xauth
crypto isakmp keepalive 3600 periodic
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set Default esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXXXXXXXX
set peer XXXXXXXXXXXX
set transform-set Default
match address 101
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$
ip address 192.168.8.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip policy route-map Loadbalance
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address XXXXXXXXXX 255.255.255.252
ip mask-reply
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex full
speed 100
no mop enabled
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/2
description $FW_OUTSIDE$$ETH-WAN$
ip address XXXXXXXXXX 255.255.255.252
ip mask-reply
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no mop enabled
crypto ipsec df-bit clear
!
interface FastEthernet0/0/0
description TATA WAN IP
ip address XXXXXXXXXXX 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 300
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 XXXXXXXXX
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXX
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXX
ip route 192.168.2.0 255.255.255.0 192.168.8.200
ip route 192.168.3.0 255.255.255.0 192.168.8.200
ip route 192.168.4.0 255.255.255.0 192.168.8.200
ip route 192.168.5.0 255.255.255.0 192.168.8.200
ip route 192.168.6.0 255.255.255.0 192.168.8.200
ip route 192.168.7.0 255.255.255.0 192.168.8.200
ip route 192.168.8.0 255.255.255.0 192.168.8.200
ip route 192.168.9.0 255.255.255.0 192.168.8.200
!
ip access-list extended nat
remark CCP_ACL Category=18
remark IPSec Rule
deny tcp 192.168.0.0 0.0.255.255 XXXXXXXXXX0.0.0.255 log
deny ip host 192.168.4.2 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
permit ip object-group WC&AIT any
permit ip host 192.168.6.24 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
deny ip any any
ip access-list extended nat1
remark CCP_ACL Category=18
remark IPSec Rule
deny tcp 192.168.0.0 0.0.255.255 XXXXXXXX 0.0.0.255 log
permit ip object-group AIT any
permit ip host 192.168.4.2 any
permit ip object-group ALC any
deny ip any any
!
ip sla 1
icmp-echo XXXXXXXXX source-interface GigabitEthernet0/1
frequency 5000
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo XXXXXXXXXX source-interface GigabitEthernet0/2
frequency 5000
ip sla schedule 2 life forever start-time now
logging 192.168.4.4
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit tcp 192.168.0.0 0.0.255.255 XXXXXXXXX 0.0.0.255 log
!
no cdp run
12-06-2012 09:08 PM
Your post says that you have 4 vlans and I see 4 interfaces and 4 subnets (but not defined as vlans).
Your crypto configuration uses an access list to identify traffic for VPN and the access list selects packets with source address of 192.168.n.n. there is only one interface that matches this.
HTH
Rick
Sent from Cisco Technical Support iPhone App
12-06-2012 09:18 PM
Yes. I hae 4 different subnets. My network diagram is as below.
System - L3 switch - Firewall (Configure in L2 bridge mode) - Router - internet.
I configure 192.168.0.0/16 in the access list. That means any traffic from 192.168.0.1 to 192.168.255.255 should match the access list. My subents are within 192.168.0.0/16. So, all the traffic from my subnet should allowed to that VPN. But this is not happening.
12-07-2012 08:05 AM
Hi,
Your configuration references several route-maps which are not present - notably in the NAT statements. Is this deliberate? NAT will take place before encryption.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: