Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4603
Views
0
Helpful
10
Replies

site to site ipsec in cisco 2821

Go to solution
darwin_valdez
Level 1
Level 1

‎04-05-2010 09:52 PM - edited ‎02-21-2020 04:34 PM

Hi All,

We have 2821 router both at our main and remote office. The main and remote office is connected thrue site to site IPSec VPN using pre-shared authentication. Our ftp, database, remote desktop, and web server are located in our main office.

1. We can access the database, remote desktop, and web(.html and .jsp) server from our remote office using the tunnel to main office without problem.

2. But when remote office tried to access  the main office web server(.php), we cannot fetch or view the site.

3. We cannot access the ftp server locally using the Tunnel. We need to use internet and use port forwarding to access our  main  office ftp server, instead of just using the tunnel.

Thanks for the help in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to darwin_valdez

‎04-06-2010 03:53 AM

Try the actual ip address of the outside interface as follows:

ip nat inside source static tcp 10.1.2.100 22 22 route-map ftp-NAT extendable

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-05-2010 10:23 PM

Hi,

Might be an issue with the configuration. Can you post the router´s config?

Federico.

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-06-2010 02:20 AM

Hi Federico,

This is the config at the both end of the routers.

Remote Router Config

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key xxxxxxxxxx address 111.111.111.1

!
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to Main Office
  set peer 111.111.111.1
  set security-association lifetime seconds 3600
  set transform-set ESP-3DES-SHA9
  match address 103

!
interface GigabitEthernet0/0
  description $ETH-WAN$
  ip address 222.222.222.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
  description $ETH-LAN$
  ip address 10.1.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!

access-list 101 deny   ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Main Router Config

crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2

crypto isakmp key xxxxxxxxxx address 222.222.222.2
!
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to Remote Office
  set peer 222.222.222.2
  set security-association lifetime seconds 3600
  set transform-set ESP-3DES-SHA9
  match address 103
!
!
!
!
interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address 111.111.111.1 255.255.255.252
 ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto

crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
  description $ES_LAN$$FW_INSIDE$
  ip address 10.1.2.1 255.255.255.0
 ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.2.100 22 interface GigabitEthernet0/0 22
!
access-list 101 deny   ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.2.0 0.0.0.255 any
access-list 103 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-06-2010 01:16 AM

I assume that the FTP server has static translation configured. If that is the case, please remember to configure route-map at the end of the static translation to deny translation from the ftp server private ip address towards the remote LAN, and allow everything else after the deny statement.

Example:

FTP server ip of 10.1.1.1, translated to 200.1.1.1

access-list 120 deny ip host 10.1.1.1

access-list 120 permit ip host 10.1.1.1 any

route-map ftp-NAT permit 10

     match ip address 120

ip nat inside source static 10.1.1.1 200.1.1.1 route-map ftp-NAT

Hope that helps.

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 02:42 AM

Hi Halijenn,

I also tried your example and the result is just the same. Please see the error log of the remote office using filezilla ftp client.

Status:    Connecting to 10.1.2.100...
Response:    fzSftp started
Command:    open "ftpuser@10.1.2.100" 22
Error:    Connection timed out
Error:    Could not connect to server

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to darwin_valdez

‎04-06-2010 02:58 AM

Can you please confirm if you have the following configuration:

ip nat inside source static tcp 10.1.2.100 22 interface GigabitEthernet0/0 22 route-map ftp-NAT

access-list 120 deny ip host 10.1.2.100 10.1.1.0 0.0.0.255
access-list 120 permit ip host 10.1.2.100 any

route-map ftp-NAT permit 10
     match ip address 120

Please also make sure that you delete the original "ip nat inside source static tcp 10.1.2.100 22 interface  GigabitEthernet0/0 22" after configuring the above, and also clear the translation table before you test the connection.

Another thing is you mentioned you were trying to FTP, but you were using port 22, do you mean you were trying to SSH to 10.1.2.100?

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 03:41 AM

Hi Halijenn,

We were using SFTP port 22 on our ftp. I cannot add "route-map ftp-NAT" at the end of static translation.

ip nat inside source static tcp 10.1.2.100  22 interface gigabitEthernet0/0 2
2 route-map ftp-NAT
  ^
% Invalid input detected at '^' marker.

But i have,

access-list 120 deny ip host 10.1.2.100 10.1.1.0 0.0.0.255
access-list 120 permit ip host 10.1.2.100 any

route-map ftp-NAT permit 10
     match ip address 120

configured in the router.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to darwin_valdez

‎04-06-2010 03:53 AM

Try the actual ip address of the outside interface as follows:

ip nat inside source static tcp 10.1.2.100 22 22 route-map ftp-NAT extendable

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 04:13 AM

Hi Halijenn,

It is now working. Thank you very much!

0 Helpful

Go to solution
droeun141
Level 1
Level 1
In response to Jennifer Halim

‎04-06-2010 09:51 AM

What's the purpose of the extendable option in this setup? I've been digging around the web but still can't seem to wrap my head around it.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to droeun141

‎04-06-2010 12:53 PM

You know I don't remember right now what the extendable option is supposed to do, but in my experience it just does not make any difference if you have it or not.

Federico.

0 Helpful
Customers Also Viewed These Support Documents