09-27-2012 10:33 PM
Hello,
I configured a VPN site to site through an Cisco 891 and Lynksys RV042: Followed this steps:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
The VPN works only for computers without NAT .
I asked already for help for a big company (Cisco Professionals) from my town and they didn't solve my problem .
How can I solve that ?
Network 1 - Cisco Router
Local : 192.168.1.0
WAN: 188.xx.xxx.157
NAT: 86.xx.xx.148 , 192.168.1.4
NAT: 86.xx.xx.150 , 192.168.1.2
Network2 - Lynksys Router
Local: 192.168.2.0
WAN: 82.xx.xx.180
NO NAT
Ping Works for 192.168.1.5 and 192.168.2.2, etc
Ping is not working with : 192.168.1.2 and 192.168.2.2
Thank's
09-27-2012 10:51 PM
My cisco configuration is:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hostrtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$BQHg$S45Vcx456HPc567gLfF.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-41548103
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-41548103
revocation-check none
rsakeypair TP-self-signed-41548103
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-41548103
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313534 38313033 301E170D 31323038 31373136 35343034
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343135 34383130
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DB8B
4231D71B C54A58A7 65481793 E2D38810 7AAD2221 12B350FA A5E65185 7697598E
15A8D708 13D27B05 855698C1 8F92C8FD 72E45F3E 6AA12B6A 0D287F40 29A32CA2
006242C4 D118C7FB 8DE4703D 97F8A28D 1AE85FF1 2C5571DD 3F3904E2 95501C43
DAA5214A 84A74DD7 1507E056 AD68EA40 DB8FA15B 89B8EF72 584689D9 83350203
010001A3 7B307930 0F060355 1D130101 FF056530 030101FF 30260603 551D1104
1F301D82 1B686F73 74696D70 65726172 74722E68 6F737469 6D706572 612E726F
301F0603 551D2304 18304580 142ADF5D C3F92C47 93A0EB00 678B7A18 D5EE6E6A
13301D06 03551D0E 04160414 2ADF5DC3 F92C4793 A0EB0067 8B7A18D5 EE6E6A13
300D0609 2A864886 F70D0101 04050003 8181009D 6BF1C560 C8844DC2 6804F39C
E9CEB0F3 21603F50 D88EF8F1 FE380BD3 8990DD77 600BEBED 35DF4AD8 5F9E14B6
E16BFE5F 04372633 26EF70E3 493FE4C0 57C1014F 5A876714 029C4B93 AD9C6546
B1E2E8C7 27009C19 0A9D963B 9DEA5689 52E62658 6A555CAF B71EA0C6 EEABC056
ADFF6837 1F7984A2 2CAEC2EC 060BADB7 36F027
quit
crypto pki certificate chain tti
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 193.xxx.xxx.1 213.xxx.xxx.1
default-router 192.xxx.1.1
!
ip dhcp pool calcwork2
host 192.168.1.2 255.255.255.0
client-identifier 01d4.ae34.8989.3f
!
ip dhcp pool calcWork1
host 192.168.1.4 255.255.255.0
client-identifier 01b8.ac34.9787.df
!
!
ip cef
no ip bootp server
ip domain name hsdfra.com
ip name-server 193.xxx.xxx.1
ip name-server 213.xxx.xxx.1
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FCZ4dfgC45X
!
!
username admin privilege 15 secret 5 $1$AJNK$v34NddggdfQSPJ715e20
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C567E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 02945673 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C4678C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B012D3
F3020301 0001
quit
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 114
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 112
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 116
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
match access-group 122
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
match access-group 120
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat--1
match access-group 101
class-map type inspect match-all sdm-nat--2
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
match access-group 124
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
inspect
class type inspect sdm-nat--2
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class type inspect sdm-cls-VPNOutsideToInside-5
inspect
class type inspect sdm-cls-VPNOutsideToInside-6
inspect
class type inspect sdm-cls-VPNOutsideToInside-7
inspect
class type inspect sdm-cls-VPNOutsideToInside-8
inspect
class type inspect sdm-cls-VPNOutsideToInside-9
inspect
class type inspect sdm-cls-VPNOutsideToInside-10
inspect
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
crypto isakmp key keyshared1 address 82.xx.xx.180
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set Cisco esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.xx.xx.180
set peer 82.xx.xx.180
set transform-set ESP-3DES-SHA5
match address 115
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to82.xx.xx.180
set peer 82.xx.xx.180
set transform-set ESP-3DES-SHA7
match address 121
!
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Tunnel to82.xx.xx.180
set peer 82.xx.xx.180
set transform-set ESP-3DES-SHA8
match address 123
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 188.xx.xxx.157 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_3
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source static 192.168.1.4 86.xx.xx.148
ip nat inside source static 192.168.1.2 86.xx.xx.150
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 188.xx.xx.128 0.0.0.127 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.4
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 82.xx.xx.180 any
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 109 remark CCP_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark CCP_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 remark CCP_ACL Category=0
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 remark CCP_ACL Category=4
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 remark CCP_ACL Category=0
access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 remark CCP_ACL Category=4
access-list 115 remark IPSec Rule
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark CCP_ACL Category=4
access-list 121 remark IPSec Rule
access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 remark CCP_ACL Category=4
access-list 123 remark IPSec Rule
access-list 123 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 124 remark CCP_ACL Category=0
access-list 124 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
length 0
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
09-27-2012 10:56 PM
Here is what you would need to configure:
access-list 130 deny ip host 192.168.1.4 192.168.2.0 0.0.0.255
access-list 130 permit ip host 192.168.1.4 any
access-list 131 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255
access-list 131 permit ip host 192.168.1.2 any
route-map nonat4 permit 10
match ip address 130
route-map nonat2 permit 10
match ip address 131
no ip nat inside source static 192.168.1.4 86.xx.xx.148
no ip nat inside source static 192.168.1.2 86.xx.xx.150
ip nat inside source static 192.168.1.4 86.xx.xx.148 route-map nonat4
ip nat inside source static 192.168.1.2 86.xx.xx.150 route-map nonat2
Then "clear ip nat trans *" after the above changes.
That should resolve your issue.
09-28-2012 08:37 AM
Thank's for you answer.
I will try this, but I must log to console (it is difficult for me)
Do you know how to do this with cisco configuration professional ?
Thank's
09-29-2012 08:23 PM
apologize, but i don't have access to CCP handy to show you the configuration via CCP.
Try to telnet to the router and configure it via CLI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide