Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3300
Views
0
Helpful
1
Replies

How to IPsec site to site vpn port forwarding to remote site?

thnguyen2011
Level 1
Level 1

‎06-14-2012 07:55 PM - edited ‎02-21-2020 06:08 PM

Hi All,

The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.

Drawing1.jpg

Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?

Building configuration...

Current configuration : 5425 bytes

!

! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Laverton

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime 10

!

crypto pki trustpoint TP-self-signed-1119949081

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1119949081

revocation-check none

rsakeypair TP-self-signed-1119949081

!

!

crypto pki certificate chain TP-self-signed-1119949081

certificate self-signed 01

  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

  69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032

  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939

            quit

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool DHCP_LAN

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 61.9.134.49

   lease infinite

!

!

ip cef

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

object-group network VPN

description ---Port Forward to vpn Turnnel---

host 192.168.2.99

!

username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

match address 100

!

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

archive

log config

  hidekeys

!

!

no ip ftp passive

!

!

!

interface ATM0

description ---Telstra ADSL---

no ip address

no atm ilmi-keepalive

pvc 8/35

  tx-ring-limit 3

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 10

shutdown

!

interface FastEthernet3

!

interface Vlan1

description ---Ethernet LAN---

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1420

!

interface Vlan10

ip dhcp relay information trusted

ip dhcp relay information check-reply none

no ip dhcp client request tftp-server-address

no ip dhcp client request netbios-nameserver

no ip dhcp client request vendor-specific

no ip dhcp client request static-route

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface Dialer0

description ---ADSL Detail---

ip address negotiated

ip mtu 1460

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1420

dialer pool 1

dialer-group 1

ppp chap hostname myusername@isp.com

ppp chap password 0 mypassword

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000

ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload

!

ip access-list extended NAT

remark CCP_ACL Category=16

remark IPSec Rule

deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address NAT

!

route-map SDM_RMAP_2 permit 1

match ip address 101

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

end

Your help would be very appreciated!

PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.

Thanks,

Thai

Labels:
0 Helpful
1 Reply 1

thnguyen2011
Level 1
Level 1

‎06-18-2012 05:00 PM

Is there anyone can help please?

0 Helpful
Customers Also Viewed These Support Documents