Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
0
Helpful
3
Replies

HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

thedrashy
Level 1
Level 1

‎09-05-2013 05:04 AM - edited ‎02-21-2020 07:07 PM

we are connecting Cisco 887VA router with various other Non-Cisco routers.

VPN tunnels are up and we can ping devices on the remote network through the VPN.

However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.

Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.

Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.

I have tried adjusting MTU and MSS with no change.

Any ideas cause I'm running out of hair

My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

Labels:
15366878-conf.txt.zip
0 Helpful
3 Replies 3

czaja0000
Level 1
Level 1

‎09-05-2013 06:35 AM

Hi,

If I understand correctly, the problem is related to services that are also available on the public network via static translation?

1. I checked your configuration and it isn't clear to me.

For example:

ip nat pool windisplay0 192.168.3.55 192.168.3.55 netmask 255.255.255.0 type rotary
.
.
ip nat inside destination list windisplay0 pool windisplay0

The syntax is:

ip nat inside destination { list  pool  | static   }

Where is the ACL "windisplay0" ?

2. I suggest read this document: Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static

________________

Best regards,
MB

________________ Best regards, MB
0 Helpful

thedrashy
Level 1
Level 1
In response to czaja0000

‎09-05-2013 09:07 AM

Sorry about the confusion factor, it seems I inadvertantly snipped some of the config.

I have attached new config.

Thank you!

15366945-conf.txt.zip
0 Helpful

Markus Thun
Level 1
Level 1

‎09-06-2013 12:16 AM

Hi,

i can get you a example VPN config (Cisco 1841)  that works:

//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP

access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 150 deny   ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 deny   ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 150 permit ip 192.168.49.0 0.0.0.255 any

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP

crypto isakmp keepalive 30

crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac

crypto map B2B 10 ipsec-isakmp

description b2b-fw

set peer PEERWANIP

set security-association lifetime seconds 86400

set transform-set SETNAME

match address 102

interface FastEthernet0/0

description wan_primary

crypto map B2B

ip nat outside

interface FastEthernet0/1

ip nat inside

route-map nonat permit 10

match ip address 150

ip nat inside source route-map nonat interface FastEthernet0/0 overload

Regards

Markus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents