Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
4
Replies

IPSec VPN: VLAN to host

leirbaek1
Level 1
Level 1

‎11-04-2013 03:58 AM - edited ‎02-21-2020 07:18 PM

Hi Cisco Gurus!

I am goofing around with Packet Tracer, and now I try to connect a VLAN to a remote host using IPSec VPN connection. Problem is that I can ping all hosts on remote network. Please take a look at my settings to help me get past this problem.

Screen shot of PT:

http://postimg.org/image/3w50ptw5z/

Basically what I want to do is permit traffic from VLAN 10 to the 10.0.0.20 server, and from VLAN 20 to the 10.0.0.21 server. At the moment I can ping both servers from both VLANs.

Crypto map from Router1

Router#sh crypto map

Crypto Map MYMAP 10 ipsec-isakmp

        Peer = 80.202.220.20

        Extended IP access list 101

            access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.20

            access-list 101 deny ip 192.168.1.0 0.0.0.255 host 10.0.0.21

        Current peer: 80.202.220.20

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                MYSET,

        }

        Interfaces using crypto map MYMAP:

                Serial0/1/0

Crypto map from Router0

Router#sh crypto map

Crypto Map MYMAP 10 ipsec-isakmp

        Peer = 80.223.10.140

        Extended IP access list 101

            access-list 101 permit ip host 10.0.0.20 192.168.1.0 0.0.0.255

            access-list 101 deny ip host 10.0.0.21 192.168.1.0 0.0.0.255

        Current peer: 80.223.10.140

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                MYSET,

        }

        Interfaces using crypto map MYMAP:

                Serial0/1/0

There are no other ACLs on eighter router. This is actually for troubleshooting a larger setup, where one VLAN should be permited to use a application server and the other VLAN should send backup to a backup server. So I narrowed it down to this setup, but still the same problem.

I can place an ACL on the router at the server park.. but I want the IPSec ACLs to do this before the traffic reaches the WAN.

If you need more info, please ask!

Thanks in advanced.. I know this is a bit above knowledge levek, but I like to reach high

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎11-04-2013 04:44 AM

Just a guess as you didn't post your config:

Also without the IPSec you already have end-to-end connectivity where the VLANs on the right can reach the servers on the left? Then your crypto map only tell which traffic to protect (and you don't need the deny lines in your case). All traffic that doesn't have a permit in the crypto-ACL is processed "the normal way" which could be plain routing.

For a scenario that is more realistic, configure your routers in a way that each router only can only reach the serial interface of the other router but not the networks behind the routers. That is also the situation on the internet. Full connectivity between all router-addresses, but it's not possible to reach the private addresses in the LANs from the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

leirbaek1
Level 1
Level 1
In response to Karsten Iwen

‎11-04-2013 05:12 AM

Takk Karsten!

Yes, they can reach eachother because I use static routes, which tutorials often use when demonstrating IPSec.

So this would not be an issue in a real life enviroment, then? I thought that the VPN tunnel connected the two LANs, so that they were acting like one LAN. (as long as the router knew where to find the 10.x.x.x LAN.) I also thought that crypto-ACL worked the same as normal ACLs, but that is not the case?

0 Helpful

Karsten Iwen
VIP
VIP
In response to leirbaek1

‎11-04-2013 05:22 AM 

I also thought that crypto-ACL worked the same as normal ACLs, but that is not the case?

no, they only control which traffic should be protected by IPsec. But they don't control which traffic can be routed through the router. For that, "normal" interface-ACLs are still used.

For additional tests and learning you should add an ISP-router between your router0 and router1 (not sure if packet-trace has this flexibility, I personally never used that). This ISP-router should only know the WAN-addresses of your routers 0 and 1. Then it should work as you expect it that only the traffic that is defined in the crypto map is possible between the two networks.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

leirbaek1
Level 1
Level 1
In response to Karsten Iwen

‎11-04-2013 05:28 AM

Thanks for good answers Karsten, this explains alot, actually

0 Helpful
Customers Also Viewed These Support Documents