cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
867
Views
0
Helpful
4
Replies

Multiple L2L VPN on IOS Router-Help Needed

toddmanger
Level 1
Level 1

I have multiple clients that require L2L vpn connections.  I currently use a Cisco 2821 ISR router for these VPN tunnels.  One of the tunnels requires NAT as they overlap our internal netspace.  Another client doesnt overlap and thus doesn't require NAT.

I have a need to add another client L2L to this router, and they also overlap.  I am posting my configs below, please review and advise if the setup looks correct.  The newly added client is in red.

TIA

Todd

--------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes

authentication pre-share

group 2

crypto isakmp key ############# address 216.195.69.102

crypto isakmp key ############# address 199.204.157.1

crypto isakmp key ############# address 99.188.156.230

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac

crypto ipsec transform-set CBTS esp-3des esp-md5-hmac

crypto ipsec transform-set CIMC esp-aes esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 199.204.157.1

set transform-set MEDSOLUTIONS

match address MEDSOL-CRYPTO-ACL

crypto map VPN 2 ipsec-isakmp

set peer 216.195.69.102

set transform-set CBTS

match address CBTS-CRYPTO-ACL

crypto map VPN 3 ipsec-isakmp

set peer 99.188.156.230

set security-association lifetime seconds 28800

set transform-set CIMC

match address CIMC-CRYPTO-ACL

!

!

interface FastEthernet0/1

ip address 173.210.58.198 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map VPN

!

ip route 10.10.131.63 255.255.255.255 173.210.58.193

ip route 10.208.0.0 255.255.248.0 173.210.58.193

ip route 99.188.156.230 255.255.255.255 173.210.58.193

ip route 172.23.1.0 255.255.255.0 173.210.58.193

ip route 199.204.157.1 255.255.255.255 173.210.58.193

ip route 216.195.69.102 255.255.255.255 173.210.58.193

!

!

ip nat pool MEDSOL 10.129.40.1 10.129.40.254 netmask 255.255.255.0

ip nat pool PUBLIC 173.210.58.198 173.210.58.198 netmask 255.255.255.252

ip nat inside source route-map MEDSOLUTIONS pool MEDSOL

ip nat inside source route-map nonat pool PUBLIC overload

ip nat inside source route-map nonat2 pool PUBLIC overload

!

ip access-list extended CBTS-CRYPTO-ACL

permit ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

ip access-list extended CBTS-NAT-ACL

deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63

deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255

deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny   ip 10.129.40.0 0.0.0.255 172.23.1.0 0.0.0.63

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended CIMC-CRYPTO-ACL

permit ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255

ip access-list extended CIMC-NAT-ACL

  deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63

deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended MEDSOL-CRYPTO-ACL

permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63

ip access-list extended MEDSOL-NAT-ACL

  deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255

deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63

permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

!

!

route-map MEDSOLUTIONS permit 10

match ip address MEDSOL-NAT-ACL

!

route-map nonat2 permit 10

match ip address CIMC-NAT-ACL

!

route-map nonat permit 10

match ip address CBTS-NAT-ACL

!

4 Replies 4

toddmanger
Level 1
Level 1

It will be necessary with this new client to setup access to multiple different subnets and hosts from this tunnel and the config above will need to incorporate these.

10.208.1.100
10.208.1.95 
10.208.4.160
10.208.2.0/24
10.208.5.0/24
10.209.1.3
Thank you for the help.

Jennifer Halim
Cisco Employee
Cisco Employee

Doesn't look quite correct.

Route-map "nonat" is literally the  same as "nonat2", and denying/ NAT exempting the subnet specifies in the  ACL, and the crypto ACL is also incorrect (source is 10.10.10.0/24, not  sure where you define this subnet).

A few things to consider:

1) What is the remote LAN subnet?

2) What are the local LAN subnets? Which overlaps and which don't?

3)  Crypto ACL needs to define the NATed subnet, and if you have multiple  subnets that you would like to encrypt, then you would need to define  the same in the crypto ACL and it needs to mirror image on the other end  too.

4) For overlapping subnets, both end needs to NATed to a different subnet.

Here is a sample configuration for overlapping netwoks:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Hope that helps.

The problem I seem to be having is with Nat.  The latest VPN tunnel shouldnt be natting as both networks are 10.x.x.x.  I cannot figure out how to make this client (Client 3) work while maintaining the first two tunnels.

Any help is greatly appreciated!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXX address 216.1.1.1------//Client1

crypto isakmp key XXXXXXXXXXXXX address 199.1.1.1------//Client2

crypto isakmp key XXXXXXXXXXXXX address 99.1.1.1------//Client3
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Client 1 esp-3des esp-sha-hmac
crypto ipsec transform-set Client 2 esp-3des esp-md5-hmac
crypto ipsec transform-set Client 3 esp-aes 256 esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 199.1.1.1

set transform-set Client 1

match addressClient1-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 216.1.1.1
set transform-set Client 2

match address Client2-CRYPTO-ACL
crypto map VPN 3 ipsec-isakmp
set peer 99.1.1.1

set security-association lifetime seconds 28800
set transform-set Client 3

match address Client3-CRYPTO-ACL
!
interface FastEthernet0/0
description INSIDE LAN INTERFACE
ip address 10.10.x.111 xxx.xxx.xxx.

ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
ip address 173.x.x.58.198 255.x.x.x

ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
!
ip route 10.10.131.63 255.255.255.255 173.210.58.193
ip route 10.10.131.63 255.255.255.255 12.195.64.10
ip route 10.208.0.0 255.255.248.0 173.210.58.193
ip route 10.209.0.0 255.255.248.0 173.210.58.193
ip route 99.188.156.230 255.255.255.255 173.210.58.193
ip route 172.23.1.0 255.255.255.0 173.210.58.193
ip route 199.204.157.1 255.255.255.255 173.210.58.193
ip route 216.195.69.102 255.255.255.255 173.210.58.193
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat pool Client 1 10.129.40.1 10.129.40.254 netmask 255.255.255.0
ip nat pool Client 2 173.210.58.198  173.210.58.198 netmask 255.255.255.252
ip nat inside source route-map Client 1 pool Client 1

ip nat inside source route-map nonat pool Client 2 overload
!
ip access-list extended Client2-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
ip access-list extended Client2-NAT-ACL
deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63
deny   ip 10.10.10.0 0.0.0.255 10.209.0.0 0.0.7.255
deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255
deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny   ip 10.129.40.0 0.0.0.255 172.23.1.0 0.0.0.63
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended Client3-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255
permit ip 10.10.10.0 0.0.0.255 10.209.0.0 0.0.7.255
ip access-list extended Client3-NAT-ACL
deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63
deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255
deny   ip 10.10.10.0 0.0.0.255 10.209.0.0 0.0.7.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended Client1-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended Client2-NAT-ACL
deny   ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny   ip 10.10.10.0 0.0.0.255 10.209.0.0 0.0.7.255
deny   ip 10.10.10.0 0.0.0.255 10.208.0.0 0.0.7.255
deny   ip 10.129.40.0 0.0.0.255 host 10.10.131.63
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
!
!
route-map Client1 permit 10
match ip address Client1-NAT-ACL
!
route-map nonat permit 10
match ip address Client2-NAT-ACL
!

toddmanger
Level 1
Level 1

Bump