09-26-2013 08:16 AM - edited 03-07-2019 03:41 PM
Hi,
I had created a IPSec VPN between Cisco Router to Checkpoint FW. Currently traffic is only going from Site A, Server A to Site B LAN Seg via the IPSec VPN. But traffic is not going back via the IPSec VPN from Site B LAN seg to Site A, server A. Instead it was going directly to the internet when I do a tracroute.
( Site A ) ( Site B )
Server A ------- Cisco Swi ----- Checkpoint FW ------ Cisco Router ----- Cloud ----- Cisco Router ------ LAN Seg (192.1.1.X)
-------------------------------------------------
IPSec VPN
-------------------------------------------------
- Server A (66.66.66.66, public Add) --> Nat'd to (66.66.66.99, public Add)
- Site B LAN Seg is not Nat'd
Will there be any problem if the Server A IP address is Nat'd from a public add to another public add which will cause traffic from Site B to go to the internet instead of the IPSec VPN?
09-26-2013 08:55 AM
You can NAT you VPN-traffic anyhow youm want. Yust make sure that the crypto-ACL specifies exactly the traffic that you need in the tunnel which are the addresses after NAT.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-26-2013 09:12 AM
Hi Karsten,
Below is the config for Site B Cisco Router, is this the correct way?
Site B Cisco Router
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 7800
!
crypto isakmp key 6 password address 66.66.66.122 (Site A Checkpoint FW WAN Int)
!
crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 66.66.66.122 (Site A Checkpoint FW WAN Int)
set transform-set rtpset
match address 120
!
interface GigabitEthernet0/0
description WAN Facing Int
ip address 99.99.99.94 255.255.255.252
ip nat outside
crypto map rtp
!
interface GigabitEthernet0/1
description LAN Facing Int
ip address 99.99.99.161 255.255.255.240
ip nat inside
!
ip nat inside source list 110 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 99.99.99.93
ip route 192.1.1.0 255.255.255.0 99.99.99.162
!
access-list 110 deny ip 192.1.1.0 0.0.0.255 host 66.66.66.99 log
access-list 110 permit ip 192.1.1.0 0.0.0.255 any log
access-list 120 permit ip 192.1.1.0 0.0.0.255 host 66.66.66.99 log
I follow the example from this link: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
Is there any way to check if the crypto is up and traffic is going from SIte B to Site A?
09-26-2013 09:35 AM
The config looks fine assuming the traffic from server A uses the IP 66.66.66.99.
You can look at the counters with "sh crypto ipsec sa", there are also some other statistics that can give you a hint. If that commands doesn't show any SAs, post the output of "show crypto isakmp sa".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-30-2013 06:43 PM
Sorry for the late reply, was on leave the past few days.
I had a look at the "show crypto ipsec sa" and "show crypto isakmp sa", below is the statistics:
show crypto ipsec sa
#pkts encaps: 90509, #pkts encrypt: 90509, #pkts digest: 90509
#pkts decaps: 90485, #pkts decrypt: 90485, #pkts verify: 90485
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
Site A Chkpt FW Ext IP Site B Cisco Rtr Ext IP QM_IDLE 1167 ACTIVE
1) Does this mean that the IPSec VPN is up and running?
2) If the IPSec VPN is up, howcome when I do a traceroute it still go via the Internet instead of the IPSec VPN?
3) Is there anyway to determine if the above mention statistics encrypted packets is from Site A to Site B or Site B to Site A?
09-30-2013 11:41 PM
1) Does this mean that the IPSec VPN is up and running?
At least the part you posted looks fine.
3) Is there anyway to determine if the above mention statistics encrypted packets is from Site A to Site B or Site B to Site A?
it's for both directions. "pkts encaps/encrypt/digest" is what you send to the other side, "pkts decaps/decrypt/verify" is what you received from the other side.
2) If the IPSec VPN is up, howcome when I do a traceroute it still go via the Internet instead of the IPSec VPN?
There are many possibilities. First the config could be still wrong, but that is not to tell as you removed/changed too much in your output. And the Checkpoint on the other side could filter the traceroute. You should inspect the logs on the other side to investigate that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-01-2013 06:41 PM
Hi Karsten,
The problem had been solve. Thank for your help these days.
The configuration on the router side was working fine all the while, the problem lies on the Checkpoint FW IPSec VPN. Really appreciated your help!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide