ā04-26-2017 01:19 PM
Hi ! I 've have issues with configuration site to site tunnel between cisco firewall router 2921 with nat and remote host which is vyos.
As to the lab environment, setting up site to site beetwen two cisco routers is pretty easy, but in real life with NAT and firewall ios router it's not.
What I would like to achieve is to connect my internal network 192.168.25.0/24(behind nat) to remote network 192.168.20.0/23
(the diagram is attached below as jpg file) Could you help me ? What am I doing wrong.
Let me show you my vpn isakmp and ipsec conf first:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cisco address X.X.X.110 (VYOS REMOTE PEER)
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
description VPN Connection to Vyos
set peer x.x.x.110
set transform-set VPN-SET
match address 110
!
access-list 110 permit udp any any eq isakmp log
access-list 110 permit udp any any eq non500-isakmp log
access-list 110 permit ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255
I've found somewhere information that I also should exclude protected traffic from being nate'ed
so I put it in "ip nat inside source list "nat-trafic:
ip access-list extended nat-traffic
permit ip 192.168.25.0 0.0.0.255 any
permit ip 192.168.26.0 0.0.0.255 any
deny ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255 log
My conf:
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN$ETH-LAN$
ip address 192.168.26.254 255.255.255.0 secondar
ip address 192.168.25.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
ip address x.x.x.94 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map VPN-MAP
!
interface GigabitEthernet0/2
description wireless
no ip address
shutdown
duplex auto
speed auto
ip nat pool natpool x.x.x.97 x.x.x.98 netmask 255.255.255.240
ip nat inside source list nat-traffic pool natpool overload
class-map type inspect match-any inside_to_outside
match protocol icmp
match protocol isakmp
match protocol ipsec-msft
match protocol https
match protocol user-vpn
class-map type inspect match-all outside_to_inside
match access-group name wan_to_lan
ip access-list extended wan_to_lan
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
policy-map type inspect policy_inside_to_outside
class type inspect inside_to_outside
inspect
class class-default
drop log
policy-map type inspect policy_outside_to_inside
class type inspect outside_to_inside
inspect
class class-default
drop
!
zone security outside
description outside untrusted zone
zone security inside
description inside trusted zone
zone-pair security inside_to_outside source inside destination outside
service-policy type inspect policy_inside_to_outside
zone-pair security outside_to_inside source outside destination inside
service-policy type inspect policy_outside_to_inside
zone-pair security outside_to_self source outside destination self
service-policy type inspect policy_out_to_self
------------------------------
Vyos configuration:
#2921 25
set protocols static route X.X.x.94/32 next-hop x.x.x.97
edit vpn ipsec site-to-site peer X.X.X.94
set description '-- 2921 .25 --'
set authentication mode pre-shared-secret
set authentication pre-shared-secret 'cisco'
set ike-group IKE-3des-sha1-g2-8h
set local-address x.x.x.110
set tunnel 1 esp-group ESP-3des-sha1
set tunnel 1 local prefix 192.168.20.0/23
set tunnel 1 remote prefix 192.168.25.0/24
top
ā04-26-2017 04:01 PM
Hi Andrew,
First thing is that you configured nat ACL in wrong manner. Access list should be like this:-
ip access-list extended nat-traffic
deny ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255
permit ip 192.168.25.0 0.0.0.255 any
permit ip 192.168.26.0 0.0.0.255 any
Second you have to remove first two statements from your crypto acl and it should be like the following:-
access-list 110 permit ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255
Third you have to modify wan to lanaccess list. It should be like the following:-
ip access-list extended wan_to_lan
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
permit udp any any eq isakmp log
permit udp any any eq non500-isakmp log
permit esp any any log
NOTE:- you can replace these last three statements any with vpn peers ip's
If it is useful, please rate it.
ā04-27-2017 12:32 AM
Hi ! Thx, I've made changes to config, but still no luck, I've launched kiwi syslog server to see if sth is blocked but there is not. I've also issued "debug crypto isakmp" but there is no data.
Any ideas ?
Regards,
ā04-27-2017 01:20 AM
Please add "hash sha1" in crypto isakmp policy. Please see in bold.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
hash sha1
There is one more zone pair outside_to_self. Can you post the all config related to that like class-map, policy-map etc.
Also verify the following:-
1) Are you able to ping Vyos public ip from cisco router?
2) Are you able to ping Vyos public ip from Pc connected behind cisco router?
ā04-27-2017 06:32 AM
Hi !
I've added hash sha to crypto map (there is no hash1), but after issuing show running-conf I don't see it.
Policy out to self:
policy-map type inspect policy_out_to_self
class type inspect ntp
pass log
class class-default
drop log
class-map type inspect match-any ntp
match protocol ntp
match protocol icmp
match access-group 155
access-list 155
access-list 155 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.254 eq www
access-list 155 permit ip host 192.168.25.73 host 192.168.25.254
---
as to the icmp,
I can ping vyos public ip from my router, but I can't do it from
my internal network.
Regards,
ā04-27-2017 07:01 AM
Please verify the following:-
Are you able to ping 192.168.25.254 (router's LAN interface IP) from internal network?
Are you able to ping x.x.x.94 (router's WAN IP) from internal network?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide