Solved: lan-to-lan ipsec vpn

brendorfer · ‎05-09-2013

Hello all,

I need to change my actual vpn configuration from lan-to-lan in host-to-lan and I have few questions. Maybe someone from here can help me.

Actual configuration:

SITE A:

- cisco 892

- subnet: 192.168.1.0/24

SITE B:

- cisco concentrator 3000

- subnet 192.168.2.0/24

I have access only on SITE A router.

In this moment all clients from site A can reach site B and vice versa.

Here is my acl from SITE A router:

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Now I need to change the vpn config in:

- ipsec vpn should be configured between 192.168.2.0/24 (SITE B) and 10.1.1.1/32 ( ip used for nat all clients from SITE A to SITE B)

Acl from SITE A router shoul become:

permit ip host 10.1.1.1 192.168.2.0 0.0.0.255.

All clients from SITE A who want to reach SITE B are nat-ed through 10.1.1.1. SITE B can not reach SITE A subnet, only 10.1.1.1

Now the questions :

ip address 10.1.1.1 shoul be configured on a loopback interface ?

How do I do the nat configuration ?

Thanks a lot.

blau grana · ‎05-10-2013

Hello Richard,

10.1.1.1 will be configured on loopback interaface. Below is basic config ->

interface Loopback0

ip address 10.1.1.1 255.255.255.255

ip nat outside

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 23.0.0.2 255.255.255.0

ip nat outside

crypto map CMAP

!

ip nat inside source list VPN_NAT_ACL interface Loopback0 overload

!

ip access-list extended VPN_NAT_ACL

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended VPN_TRAFFIC_ENCRYPT

permit ip host 10.1.1.1 192.168.2.0 0.0.0.255

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

blau grana · ‎05-10-2013

Hello Richard,

10.1.1.1 will be configured on loopback interaface. Below is basic config ->

interface Loopback0

ip address 10.1.1.1 255.255.255.255

ip nat outside

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 23.0.0.2 255.255.255.0

ip nat outside

crypto map CMAP

!

ip nat inside source list VPN_NAT_ACL interface Loopback0 overload

!

ip access-list extended VPN_NAT_ACL

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended VPN_TRAFFIC_ENCRYPT

permit ip host 10.1.1.1 192.168.2.0 0.0.0.255

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

brendorfer · ‎05-10-2013

Thank you a lot.

I've made almost the same configuration before posting, I did not set the nat outside on the wan interface.

Setting nat outside on wan, seems to do the job.

I have one litle problem now: I can not reach 10.1.1.1 from SITE B.

blau grana · ‎05-10-2013

Well you should reach it. Is routing on site B OK? Check please ACL which identifies interesting traffic for IPsec, it should look like this:

ip access-list extended VPN_TRAFFIC_ENCRYPT

permit ip 192.168.2.0 0.0.0.255 host 10.1.1.1

NOT like this

ip access-list extended VPN_TRAFFIC_ENCRYPT

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

brendorfer · ‎05-10-2013

Tunnel was up before the nat, also I was able to ping from SITE B 10.1.1.1.

After the nat, tunnel is still up, I can ping SITE B from SITE A but SITE B can not ping 10.1.1.1

If I disable the NAT on SITE A router, then ping to 10.1.1.1 from SITE B is working.

blau grana · ‎05-10-2013

Can you provide configuration of site A, possibly site B if you have access?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

brendorfer · ‎05-12-2013

Sorry, my mistacke. I've had an wrong acl set.

Ping is working from SITE B to SITE A as well.

Thank you.