Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
0
Helpful
1
Replies

L2L VPN with Static NAT to Hide Internal IPs on Cisco 1841 ISR

Go to solution
bcgeringer
Level 1
Level 1

‎03-15-2011 08:35 AM

I have configured a L2L VPN on a Cisco 1841 ISR.  I am statically NATing some of my internal hosts to IP addresses that are included in the encrypted traffic.  Please note that not all of the internal hosts are being NATed.  I am doing this to hid some of the real IP addresses on the inside network.  I have confirmed that the VPN works, as well as the NATing of the VPN traffic.  I have traditionally configured L2L VPNs on Cisco ASA 5500 series appliances, and this is my first attempt with the 1841 ISR.  I just want other to take a look a see if I missed anything, or, could I have done some of the configuration more efficiently.  All comments are welcome.

VPN-RTR-01#show run
Building configuration...

Current configuration : 9316 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
logging buffered 51200 warnings
no logging console
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2010810276
revocation-check none
rsakeypair TP-self-signed-2010810276
!
!
crypto pki certificate chain TP-self-signed-2010810276
certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303130 38313032 3736301E 170D3131 30333131 31393334
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30313038
  31303237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
  7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
  B75E4E98 25D91F02 A4773F66 83407A8B 737F8A9F 64C85447 A6889DD9 6085857F
  749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
  52B50203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E535458 2D56504E 2D525452 2D303130 1F060355 1D230418
  30168014 3B232987 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D0603 551D0E04
  1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
  0D010104 05000381 8100A831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07
  C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
  66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
  E42714B4 37842D39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA
  DD29E815 E9F90877 4D68
  quit
username asmith privilege 15 password 7 xxxxxxxxxxxxxxx
username jsmith privilege 15 password 7 xxxxxxxxxxxxxxx
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxx address 172.21.0.1 no-xauth
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map VPN-REMOTE-SITE 1 ipsec-isakmp
set peer 172.21.0.1
set transform-set ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 61
ip address 10.1.0.34 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.3
description $FW_OUTSIDE$
encapsulation dot1Q 111
ip address 172.20.32.17 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
crypto map VPN-REMOTE-SITE
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.20.32.1
ip route 10.16.0.0 255.255.0.0 10.1.0.33
ip route 10.19.0.0 255.255.0.0 10.1.0.33
ip route 10.191.0.0 255.255.0.0 10.1.0.33
ip route 10.192.0.0 255.255.0.0 10.1.0.33
ip route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map NO_NAT interface FastEthernet0/0.3 overload
ip nat inside source static 10.191.0.11 192.168.20.54 route-map STATIC_NAT_7 extendable
ip nat inside source static 10.191.0.12 192.168.20.55 route-map STATIC_NAT_8 extendable
ip nat inside source static 10.192.1.1 192.168.20.56 route-map STATIC_NAT_1 extendable
ip nat inside source static 10.192.1.2 192.168.20.57 route-map STATIC_NAT_2 extendable
ip nat inside source static 10.192.1.3 192.168.20.58 route-map STATIC_NAT_3 extendable
ip nat inside source static 10.192.1.4 192.168.20.59 route-map STATIC_NAT_4 extendable
ip nat inside source static 10.192.1.5 192.168.20.61 route-map STATIC_NAT_5 extendable
ip nat inside source static 10.16.1.6 192.168.20.62 route-map STATIC_NAT_6 extendable
!
ip access-list extended VPN-REMOTE-SITE
permit ip 192.168.20.48 0.0.0.15 host 10.174.52.39
permit ip 192.168.20.48 0.0.0.15 host 10.174.52.40
ip access-list extended inside_nat_static_1
permit ip host 10.192.1.1 host 10.174.52.39
permit ip host 10.192.1.1 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_2
permit ip host 10.192.1.2 host 10.174.52.39
permit ip host 10.192.1.2 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_3
permit ip host 10.192.1.3 host 10.174.52.39
permit ip host 10.192.1.3 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_4
permit ip host 10.192.1.4 host 10.174.52.39
permit ip host 10.192.1.4 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_5
permit ip host 10.192.1.5 host 10.174.52.39
permit ip host 10.192.1.5 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_6
permit ip host 10.16.1.6 host 10.174.52.39
permit ip host 10.16.1.6 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_7
permit ip host 10.191.0.11 host 10.174.52.39
permit ip host 10.191.0.11 host 10.174.52.40
deny   ip any any
ip access-list extended inside_nat_static_8
permit ip host 10.191.0.12 host 10.174.52.39
permit ip host 10.191.0.12 host 10.174.52.40
deny   ip any any
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 172.20.32.0 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip host 10.174.52.40 192.168.20.48 0.0.0.15
access-list 101 permit ip host 10.174.52.39 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp host 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 host 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 echo-reply
access-list 101 permit icmp any host 172.20.32.17 time-exceeded
access-list 101 permit icmp any host 172.20.32.17 unreachable
access-list 101 permit udp any host 172.20.32.17 eq isakmp log
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny   ip 10.1.0.32 0.0.0.31 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 deny   ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny   ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 any
!
route-map NO_NAT permit 1
match ip address 102
!
route-map STATIC_NAT_8 permit 10
match ip address inside_nat_static_8
!
route-map STATIC_NAT_5 permit 10
match ip address inside_nat_static_5
!
route-map STATIC_NAT_4 permit 10
match ip address inside_nat_static_4
!
route-map STATIC_NAT_7 permit 10
match ip address inside_nat_static_7
!
route-map STATIC_NAT_6 permit 10
match ip address inside_nat_static_6
!
route-map STATIC_NAT_1 permit 10
match ip address inside_nat_static_1
!
route-map STATIC_NAT_3 permit 10
match ip address inside_nat_static_3
!
route-map STATIC_NAT_2 permit 10
match ip address inside_nat_static_2
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 30 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

VPN-RTR-01#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee

‎03-16-2011 12:43 AM

Hi,

Configuration looks ok to me.

yet you can cross-check with the following link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080223a59.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
andamani
Cisco Employee
Cisco Employee

‎03-16-2011 12:43 AM

Hi,

Configuration looks ok to me.

yet you can cross-check with the following link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080223a59.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents