Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
0
Helpful
4
Replies

IPsec VPN site to site

Go to solution
Tiago Reis
Level 1
Level 1

‎12-15-2010 09:13 AM - edited ‎02-21-2020 05:01 PM

Hi everyone,

It’s the firsts time that I will configure a VPN site to site and I have some issues. On one side I have a Cisco 1841 from a ISP that is connected to a firewall. After the firewall I need to configure a Cisco 871 to “share” one vlan to other side using a ipsec vpn. It’s possible to implement this solution? Do I need nat on 1841? Until now I only saw solutions using the router that makes the connection to the ISP.

Lan-871-firewall-1841----cloud----1841-lan

Can you please give me a help? I will start this implementation next week, until there I am studying how to do it.

Thanks,

Tiago

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ciscobigcat
Level 1
Level 1
In response to Tiago Reis

‎12-18-2010 10:29 AM

I assume you control the 871 which connects to the firewall and then to the 1841. Here I also assume that this is the 1841 that is managed by the ISP and which you don’t control. The other end of the tunnel where the other 1841 is, I assume you have total control of. So based on these assumptions, this is how I’d configure the L2L:

-1841 (that you manage) WAN IP: 90.90.90.5

-1841 (that you manage) LAN network: 10.10.10.0/24

-871 WAN IP: 50.50.50.9

-871 LAN network: 10.20.20.0/24

871

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key L2L_password address 90.90.90.5 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 90.90.90.5

set transform-set myset

match address 120

interface FastEthernet4

ip address 50.50.50.9 255.255.255.248

crypto map mymap

access-list 120 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

1841

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key L2L_password address 50.50.50.9 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 50.50.50.9

set transform-set myset

match address 130

interface FastEthernet0/0

ip address 90.90.90.5 255.255.255.248

ip nat outside

crypto map mymap

ip nat inside source list 101 interface FastEthernet0/0 overload

access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

access-list 101 permit ip any any

access-list 130 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

On your 871, I dont know how its outside interface is configured. Perhaps it has a private IP whis is then translated to a public one at the 184 ISP-managed router. If this is the case, then at the 1841 where you manage, you should put that public IP address that is translated to your private outside IP of the 871. I also left out some statements on this 871 because it is nat doing the NAT. But if you have problems with the tunnel, then put those lines in the 871 to negate the tunnel traffic. Let me know if anything

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ciscobigcat
Level 1
Level 1

‎12-15-2010 10:24 AM

Do you control/manage both 1841 at each end? If so, then you can create the tunnel there. But based on the topology of the network you are providing, it looks like that 1841 where the firewall is might be an ISP-managed perimeter router. In this case that 1841 will just be acting as pass-thru and doing other routing stuff and the firewall will be the one where you will want to configure the IPSecs. But if you dont control the firewall either, then we can build the tunnel on the 871. Who is doing your NATing?

0 Helpful

Go to solution
Tiago Reis
Level 1
Level 1
In response to ciscobigcat

‎12-15-2010 01:33 PM

Hello ciscobigcat,

I only control one 1841, the other one is managed by the ISP and the firewall is a simple one that only have some acl, nothing more. The nating is done by the 1841 of ISP.

So basically I only need on both Cisco routers something like:

crypto isakmp policy 9

     hash md5

     authentication pre-share

crypto isakmp key VPNKEY address xxx.xxx.xxx.xxx

access-list 101 permit ip ........

crypto ipsec transform-set .....

crypto map MAPNAME 10 ipsec.isakmp

     set peer xxx.xxx.xxx.xxx

     set transform-ser (set name)

     match address ...

crypto map MAPNAME

If this is correct then is just a normal vpn tunnel without nat and I can "ignore" the firewall and the 1841 because they will not interfere?

Thanks for your help

0 Helpful

Go to solution
ciscobigcat
Level 1
Level 1
In response to Tiago Reis

‎12-18-2010 10:29 AM

I assume you control the 871 which connects to the firewall and then to the 1841. Here I also assume that this is the 1841 that is managed by the ISP and which you don’t control. The other end of the tunnel where the other 1841 is, I assume you have total control of. So based on these assumptions, this is how I’d configure the L2L:

-1841 (that you manage) WAN IP: 90.90.90.5

-1841 (that you manage) LAN network: 10.10.10.0/24

-871 WAN IP: 50.50.50.9

-871 LAN network: 10.20.20.0/24

871

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key L2L_password address 90.90.90.5 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 90.90.90.5

set transform-set myset

match address 120

interface FastEthernet4

ip address 50.50.50.9 255.255.255.248

crypto map mymap

access-list 120 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

1841

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key L2L_password address 50.50.50.9 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 50.50.50.9

set transform-set myset

match address 130

interface FastEthernet0/0

ip address 90.90.90.5 255.255.255.248

ip nat outside

crypto map mymap

ip nat inside source list 101 interface FastEthernet0/0 overload

access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

access-list 101 permit ip any any

access-list 130 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

On your 871, I dont know how its outside interface is configured. Perhaps it has a private IP whis is then translated to a public one at the 184 ISP-managed router. If this is the case, then at the 1841 where you manage, you should put that public IP address that is translated to your private outside IP of the 871. I also left out some statements on this 871 because it is nat doing the NAT. But if you have problems with the tunnel, then put those lines in the 871 to negate the tunnel traffic. Let me know if anything

0 Helpful

Go to solution
Tiago Reis
Level 1
Level 1
In response to ciscobigcat

‎12-20-2010 02:29 AM

Hello again,

Thanks for your answer, you are the Cisco man :). You right about everything you wrote.

I'm still wainting for the delivery of Cisco 877, maybe today I will receive it. But now I know how to do the VPN.

Thanks one more time.

Have a nice christmas,

Tiago

0 Helpful
Customers Also Viewed These Support Documents