08-19-2024 10:17 AM
I have a fairly simple VPN setup with two physical locations but I can't seen to get it working.
Each location has the same router C1111-4P
The first location has subnet 192.168.0.0 and the second location has subnet 192.168.3.0
I have a zone-based firewall setup on the routers but I have tried running without it and the results were the same.
I simply want both subnets to freely communicate with each other. I am not very experienced with setting up routers of this level so I think I need help with my config.
-----------------
Current configuration : 10976 bytes
!
! Last configuration change at 13:36:46 GMT Sat Aug 17 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname VTARouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$POow...
!
no aaa new-model
clock timezone GMT -8 0
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name brtool.vta
ip dhcp excluded-address 192.168.0.0
ip dhcp excluded-address 192.168.0.1 192.168.0.59
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
login on-success log
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-546068985
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-546068985
revocation-check none
rsakeypair TP-self-signed-546068985
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E....
quit
crypto pki certificate chain TP-self-signed-546068985
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312.....
quit
!
!
no license feature hseck9
license udi pid C1111-4P sn FCZ2631R0S0
license boot level securityk9
archive
path bootflash:mybackup
memory free low-watermark processor 70210
!
!
!
!
object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$BYHaL...
!
redundancy
mode none
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
class-map type inspect match-all brvpn
description vpn subnets
match access-group name brvpn
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect vpn-port
pass
class type inspect brvpn
pass
class type inspect vta-in
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect brvpn
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto isakmp key MYKEY address 20.20.20.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 20.20.20.2
set transform-set myset
match address brvpn
!
!
!
interface GigabitEthernet0/0/0
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end
08-19-2024 10:30 AM
@BrianVentura configure NAT exemption for the VPN traffic to ensure it is not translated by your overload rule. Change your ACL #1 to an extended ACL and deny traffic between the VPN networks on the first line, then permit all traffic to be translated.
Example:
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any
!
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload