12-15-2010 09:13 AM - edited 02-21-2020 05:01 PM
Hi everyone,
It’s the firsts time that I will configure a VPN site to site and I have some issues. On one side I have a Cisco 1841 from a ISP that is connected to a firewall. After the firewall I need to configure a Cisco 871 to “share” one vlan to other side using a ipsec vpn. It’s possible to implement this solution? Do I need nat on 1841? Until now I only saw solutions using the router that makes the connection to the ISP.
Lan-871-firewall-1841----cloud----1841-lan
Can you please give me a help? I will start this implementation next week, until there I am studying how to do it.
Thanks,
Tiago
Solved! Go to Solution.
12-18-2010 10:29 AM
I assume you control the 871 which connects to the firewall and then to the 1841. Here I also assume that this is the 1841 that is managed by the ISP and which you don’t control. The other end of the tunnel where the other 1841 is, I assume you have total control of. So based on these assumptions, this is how I’d configure the L2L:
-1841 (that you manage) WAN IP: 90.90.90.5
-1841 (that you manage) LAN network: 10.10.10.0/24
-871 WAN IP: 50.50.50.9
-871 LAN network: 10.20.20.0/24
871
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key L2L_password address 90.90.90.5 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 90.90.90.5
set transform-set myset
match address 120
interface FastEthernet4
ip address 50.50.50.9 255.255.255.248
crypto map mymap
access-list 120 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
1841
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key L2L_password address 50.50.50.9 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 50.50.50.9
set transform-set myset
match address 130
interface FastEthernet0/0
ip address 90.90.90.5 255.255.255.248
ip nat outside
crypto map mymap
ip nat inside source list 101 interface FastEthernet0/0 overload
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
On your 871, I dont know how its outside interface is configured. Perhaps it has a private IP whis is then translated to a public one at the 184 ISP-managed router. If this is the case, then at the 1841 where you manage, you should put that public IP address that is translated to your private outside IP of the 871. I also left out some statements on this 871 because it is nat doing the NAT. But if you have problems with the tunnel, then put those lines in the 871 to negate the tunnel traffic. Let me know if anything
12-15-2010 10:24 AM
Do you control/manage both 1841 at each end? If so, then you can create the tunnel there. But based on the topology of the network you are providing, it looks like that 1841 where the firewall is might be an ISP-managed perimeter router. In this case that 1841 will just be acting as pass-thru and doing other routing stuff and the firewall will be the one where you will want to configure the IPSecs. But if you dont control the firewall either, then we can build the tunnel on the 871. Who is doing your NATing?
12-15-2010 01:33 PM
Hello ciscobigcat,
I only control one 1841, the other one is managed by the ISP and the firewall is a simple one that only have some acl, nothing more. The nating is done by the 1841 of ISP.
So basically I only need on both Cisco routers something like:
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key VPNKEY address xxx.xxx.xxx.xxx
access-list 101 permit ip ........
crypto ipsec transform-set .....
crypto map MAPNAME 10 ipsec.isakmp
set peer xxx.xxx.xxx.xxx
set transform-ser (set name)
match address ...
crypto map MAPNAME
If this is correct then is just a normal vpn tunnel without nat and I can "ignore" the firewall and the 1841 because they will not interfere?
Thanks for your help
12-18-2010 10:29 AM
I assume you control the 871 which connects to the firewall and then to the 1841. Here I also assume that this is the 1841 that is managed by the ISP and which you don’t control. The other end of the tunnel where the other 1841 is, I assume you have total control of. So based on these assumptions, this is how I’d configure the L2L:
-1841 (that you manage) WAN IP: 90.90.90.5
-1841 (that you manage) LAN network: 10.10.10.0/24
-871 WAN IP: 50.50.50.9
-871 LAN network: 10.20.20.0/24
871
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key L2L_password address 90.90.90.5 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 90.90.90.5
set transform-set myset
match address 120
interface FastEthernet4
ip address 50.50.50.9 255.255.255.248
crypto map mymap
access-list 120 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
1841
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key L2L_password address 50.50.50.9 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 50.50.50.9
set transform-set myset
match address 130
interface FastEthernet0/0
ip address 90.90.90.5 255.255.255.248
ip nat outside
crypto map mymap
ip nat inside source list 101 interface FastEthernet0/0 overload
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
On your 871, I dont know how its outside interface is configured. Perhaps it has a private IP whis is then translated to a public one at the 184 ISP-managed router. If this is the case, then at the 1841 where you manage, you should put that public IP address that is translated to your private outside IP of the 871. I also left out some statements on this 871 because it is nat doing the NAT. But if you have problems with the tunnel, then put those lines in the 871 to negate the tunnel traffic. Let me know if anything
12-20-2010 02:29 AM
Hello again,
Thanks for your answer, you are the Cisco man :). You right about everything you wrote.
I'm still wainting for the delivery of Cisco 877, maybe today I will receive it. But now I know how to do the VPN.
Thanks one more time.
Have a nice christmas,
Tiago
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide