Initiate my Existing VPN Tunnel

carl.allen · ‎12-05-2012

Hi Folks,

I am new to Cisco so please be patient..

I have configured a site to site VPN tunnel using my Cisco ISR 891 router. The tunnel connects between my network 10.88.10.0 to the remote network 10.210.65.0. When I ping the remote nnetwork my VPN tunnel comes up and all is well.

I have recently connected a second network to my 10.88.... network. The new local network is 192.168.0.0. I have now managed to get the two local networks pinging each other. I can also carry out RDP sessions between systems on both networks. Hence I am happy that both networks are communicating.

I used the Fastethernet Port 8 on my ISR 891 to physically connect to the new 192.168 network and then entered the appropraite 'Static Routes' on the 192.168 exisiting router(Netgear Router). Hence certain traffic arriving at the netgear will now be forwarded to Port FE8 on the cisco ISR 891.. See FE8 Port config at the bottom of this post. I have used tracert to ensure that the traffic does arrive at Port FE8,(192.168.0.235).

I cannot seem to ping any device on the remote 10.210.65.0 network from the 192.168 network. However, as stated above I can sucessfully ping the same remote device from the local 10.88 network. I must be missing something that allows the 192.168 traffic to use the existing VPN tunnel. I have added the following command to the IpSec rules for the VPN tunnel using the Cisco Configuration Professionla tool.

Permit 192.168.0.0/0.0.0.255 10.210.0.0/0.0.255.255 ip

However I still cant ping the remote systems from the 192.168 netwok. Any help would be greatly appreciated..

Many Thanks in advance for your kind assistance

Carl

**Port FE8 Configuration**

interface FastEthernet8

ip address 192.168.0.235 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1460

duplex auto

cadet alain · ‎12-05-2012

Hi,

have you configured the mirrored ACL on the other VPN endpoint ?

Can you post your ZBF config: zone-pairs, policy-maps and class-maps

Regards.

Alain

Don't forget to rate helpful posts.

carl.allen · ‎12-05-2012

Hi Alain

I have no access to the other end of the VPN tunnel as this is controlled by the National Health service. However, we have been using the VPN tunnel sucessfully for over a year from the 10.88 network.

Perhaps I need to clarify in my own head what the source IP is for traffic arriving from the 192.168 network. It originates from a server 192.168.0.170..It gets routed to the FE8 port of the Cisco which is configured to 192.168.0.235. I then do a NAT inside which I presume converts the IP address to a 10.88 address??(Bit shaky on this bit). It is then NATed again by the Outside/Internet port Gigabit Port 0 before going out on to the web.. is this correct?

Howewever, if using a VPN tunnel is any NAT required?? as this will be a direct connection between two sites/routers and hence will not appear on the web??

Apologies for the silly questions and thankyou for your kind assistance.

Carl

Please see config for ZBF and ACL's below..as Requested..

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect imap match-any ccp-app-imap

match invalid-command

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

match access-group 110

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-7

match access-group 112

class-map type inspect match-all sdm-cls-VPNOutsideToInside-6

match access-group 111

class-map type inspect match-all sdm-cls-VPNOutsideToInside-9

match access-group 114

class-map type inspect match-all sdm-cls-VPNOutsideToInside-8

match access-group 113

class-map type inspect smtp match-any ccp-app-smtp

match data-length gt 5000000

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect http match-any ccp-app-nonascii

match req-resp header regex ccp-regex-nonascii

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-all sdm-cls-VPNOutsideToInside-10

match access-group 115

class-map type inspect match-all sdm-cls-VPNOutsideToInside-11

match access-group 116

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls-VPNOutsideToInside-12

match access-group 117

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-all sdm-cls-VPNOutsideToInside-13

match access-group 118

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any IDS7

match protocol http

match protocol tcp

match protocol icmp

class-map type inspect match-all ccp-cls-ccp-inspect-1

match access-group name NWIH

match class-map IDS7

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method post

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match request port-misuse tunneling

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect match-all ccp-protocol-smtp

match protocol smtp

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect sdm-cls-VPNOutsideToInside-2

inspect

class type inspect sdm-cls-VPNOutsideToInside-3

pass

class type inspect sdm-cls-VPNOutsideToInside-4

pass

class type inspect sdm-cls-VPNOutsideToInside-5

pass

class type inspect sdm-cls-VPNOutsideToInside-6

pass

class type inspect sdm-cls-VPNOutsideToInside-7

pass

class type inspect sdm-cls-VPNOutsideToInside-8

pass

class type inspect sdm-cls-VPNOutsideToInside-9

pass

class type inspect sdm-cls-VPNOutsideToInside-10

pass

class type inspect sdm-cls-VPNOutsideToInside-11

pass

class type inspect sdm-cls-VPNOutsideToInside-12

pass

class type inspect sdm-cls-VPNOutsideToInside-13

pass

class class-default

drop

policy-map type inspect smtp ccp-action-smtp

class type inspect smtp ccp-app-smtp

reset

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

log

reset

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

log

reset

policy-map type inspect ccp-inspect

class type inspect ccp-cls-ccp-inspect-1

inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-protocol-smtp

inspect

service-policy smtp ccp-action-smtp

class type inspect ccp-protocol-imap

inspect

service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

inspect

service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

drop log

class type inspect ccp-protocol-im

drop log

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

log

reset

class type inspect http ccp-app-httpmethods

log

reset

class type inspect http ccp-app-nonascii

log

reset

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

pass

class class-default

drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XA1APhRF97QSJJ28d3UXc2UbinTapLZjR5oi7igxbCULuDc3fq9BTbLyME4Jmqn address 194.168.231.2

crypto isakmp key ScannerMRI321 address 194.138.39.1

crypto isakmp key MRIScanner2010 address 81.133.132.134

!

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set Siemens esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to194.168.231.2

set peer 194.168.231.2

set security-association lifetime seconds 1800

set transform-set ESP-AES128-SHA

set pfs group5

match address 106

crypto map SDM_CMAP_1 4 ipsec-isakmp

description Dr Taylor

set peer 81.133.132.134

set transform-set ESP-3DES-SHA7

set pfs group2

match address 102

crypto map SDM_CMAP_1 5 ipsec-isakmp

description Tunnel to194.138.39.1

set peer 194.138.39.1

set transform-set Siemens

match address 105

carl.allen · ‎12-10-2012

Hi Folks,

I have removed my full config file as I was concerned about security.. Also, it was a lot to take in.. I have pasted below the relevant sections of the config file. I believe that this is where my problem lies. How can I work out which route map is being used by which VPN tunnel. To be honest I am slightly confused about the conflicting nature of some of the commands in the ACL's. They seem to be denying and permitting the same traffic within the same ACL..

Any help would be really appreciated... It seems like I have missed something simple but I just cant find the problem. Even with my VPN tunnel up traffic from 192.168 just wont go out the tunnel but traffic from 10.88 goes out perfectly... What am I missing..??? AAAggghh!!!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0 overload

ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0 overload

access-list 101 remark CCP_ACL Category=2

access-list 101 remark NWIH Connection to NIPACS

access-list 101 deny ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.88.10.0 0.0.0.255 host 192.168.1.2

access-list 101 deny icmp any any echo-reply

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 88.151.1.16 0.0.0.7 81.137.191.48 0.0.0.7

access-list 101 permit ip 10.88.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 150 remark CCP_ACL Category=16

access-list 150 remark NWIH Connection to NIPACS

access-list 150 deny ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 remark IPSec Rule

access-list 150 deny ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 deny icmp any any echo-reply

access-list 150 remark IPSec Rule

access-list 150 deny ip 10.88.10.0 0.0.0.255 host 192.168.1.2

access-list 150 remark IPSec Rule

access-list 150 deny ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

access-list 150 permit ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 permit ip 192.168.0.0 0.0.0.255 194.168.231.0 0.0.0.7

access-list 150 permit icmp any any echo-reply

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 1

match ip address 150

!

route-map SDM_RMAP_3 permit 1

match ip address 150

Message was edited by: CARL ALLEN

carl.allen · ‎01-06-2013

Can anyone help me with this issue... I am sure it has to do with NAT.. The traffic that I want to go down the VPN should be excluded from NAT but I am not sure if I have done this correctly.

Any help would be greatly appreciated..

Thanks

Carl