05-14-2012 10:34 PM
Dear friends.. i have couple of doubts regarding the VPN connectivity .. between my site and other WAN site ...
can some one please look at below and clear my doubts ..
1. i am given with a public IP from remote site which will be my peer address...
2. on My router i dont have any puclic IP .. i have a machine inside my network which is on private IP and i am natting this private IP onto public IP from router.
3. do i need a public IP on router also ... ?if es then .. shld i go for a loopback address ...? but then how to protect my router from attachks if i put this on public IP... i have a default route on my router which points to ISP router.
4. i am using CCP to configure the same ... and error i am getting is tunnel down and routing error also ..
5. what ACL i need to create ... i just need to allow RDP .. secondly the protected network will be my inside and his inside only .. correct me if i am wrong ..
Thanks for the time and help ..
SRC Ciscoo 1800 == WAN ==> DSTN Router ==> CHKPoint VPN device
05-15-2012 01:57 AM
guys any help..
05-15-2012 08:47 AM
guys any help....is it so dumb questions ...?
05-15-2012 11:31 AM
Hi Jatinder,
Refer the below link for IPSec configuration on the IOS,
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml.
It will be helpful.
Regards,
RV
05-17-2012 04:05 AM
Dear Rohan,
can you please provide me the answers for my above queries as i have to implement the same for one project .. thanks ... would surely go through the link
05-17-2012 12:48 PM
Hi Jatinder,
You don't need a public IP on your device for your site, your device is already being seen with a public IP as a result of the NAT.
You need to ensure you have the public IP for the other VPN site and give the personnel at the other end your Public IP within the NAT not the private.
The two devices should be able to detect if there is a NAT and reconfigure to use NAT traversal to setup the tunnel.
Are you getting any specific errors during the setup?
05-18-2012 09:55 PM
thanks for the reply .. yes i am getting multiple error .. first if about routing ... as i have default route... to my ISP .. do i need some other route....? i dont thnk so ... plz advise.. i am using CCP to configure the same and its asking for internal IP also to be protected .. so this will be their LAN ...
will post you the screen shot ASAP..
any comments plz add
05-19-2012 12:21 AM
Hello Jatinder,
You do not need any particular route, just the default one pointing to your default gateway.
I am going to try to respond all of your queries.
You need a public ip address on the internet router, you will perform a no_nat configuration for the communication between the two end networks.
Now if you only want to allow RDP via the L2L tunnel, you can specify that on the Crypto ACL ( Just match tcp port 3389)
If you want you can provide me the 2 internal networks on both sides an I can try to build an example for you!
Regards,
Do rate all the helpful posts....
Julio
Cisco Security Engineer
05-29-2012 12:39 PM
Thanks for the reply.. sorry took loads of time to get back on this ...
ok first of all my internal networks ...
site A : 10.10.11.3/32 single machine to be access by second side
Site B : 172.17.24.169 which then is natted on device to another internal IP but i am asked to do the VPN on this.
i tried doing this and below is my config .. i thnk as suggest by you i missed few things ...
1. do i need to remove the NAT from 11.3 ip .. i thnk you mean yes...
2. i dont have a public IP on router becasue of security .. so if i configure one on loopback .. any best practices to protect the same frmo public attacks.
Thanks for the help ... this is pre share site to site tunnel .. one more things which got bit odd today. was.. when i configued this .. although i didnt fo "no nat" thing .. but dont know form where i got another ip next to pre-sharekey and after set-peer command ... which is not form my network neither i thnk from remote network ...
MIRROR CONFIG FROM ROUTER
crypto isakmp policy 1
authentication pre-share
encr aes 256
hash sha
group 2
lifetime 3600
exit
crypto isakmp key XXYYZZ@ address 172.30.7.194 [NOT MY ADDRESS FROM ANY SITE]
crypto ipsec transform-set CLIENT_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256
mode tunnel
exit
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0
exit
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address
set transform-set CLIENT_Transformation
set peer 172.30.7.194 [NOT MY ADDRESS FROM ANY SITE]
match address SDM_1
exit
i know i am missing smthing .. please advise .. is it no nat.. or there are other config mistakes also.. or its just public ip on router... and what is that IP in red above ...?
05-29-2012 12:51 PM
just type a lot and dont know where it gone .. very bad ...
thanks Julio for the reply ... now i have to type all again it was lot ..
no worries... ok first to answer your questions ..
Site A : 10.10.11.3/32
Site B : 172.17.24.169/32 this is then natted to some other priate ip but i am asked to configure vPn on this
secondly i dont have any public ip on my router all are configured on internal machiens and then on router which acts as a gateway is doing nat for the private IP and isp is routing our public IP. so no direct public ip and i dont want to give even .. but if this is a restriction then will give. that means the public ip of the router will act as the peer.. or the peer ip will still be the ip of internal machine .. dont know .. becasue you were saying above that we have to perform no nat.. which actually i havent done .. so my 11.3 ip is getting natted to some public IP and i want to create tunnel between that specific mahcine only. so where will be my tunnel .. router to site be or internal machine to site b... plz advise..
and now the big confusion .. i did the config today .. and then when i did the mirror config just to see.. i saw some othe private ip .. below is my config .. ip nest to preshare.. and peer address is dont know from where it came,,, any idea whats that ...?
172.30.7.194 [NOT MY ADDRESS FROM ANY SITE]
**********
crypto isakmp policy 1
authentication pre-share
encr aes 256
hash sha
group 2
lifetime 3600
exit
crypto isakmp key XXYYZZ#$%^@ address 172.30.7.194
crypto ipsec transform-set client_Transformation ah-sha-hmac esp-sha-hmac esp-aes 256
mode tunnel
exit
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 172.17.24.169 0.0.0.0 10.10.11.3 0.0.0.0
exit
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address
set transform-set client_Transformation
set peer 172.30.7.194
match address SDM_1
exit
please advise .. what m missing .. thnk loads now .. "no nat" .. public ip on router and anyting else..
05-29-2012 01:02 PM
Hello Jatinder,
Sorry to hear that you have some issues trying to post this.
Ok first thing we are going to do a L2L so the tunnel will be between the devices behind both routers!
Yes, you will need to have a public ip address here as this will be the peer ip address configured on the other side!
The No_Nat configuration will look like this:
ip access-list e NAT
deny ip host 10.10.11.3 host 172.17.24.169
permit ip any any
This is an ACL is being used for the NAT!
Hope this helps.
Regards,
Rate all the posts that helps!
05-29-2012 01:07 PM
thanks julio for the quick reply.. though u guys already sleeping .. anyways the config which i posted above does this makes any sense..
and that means .. i configure the public ip on router and remove the nat which is there from 11.3 ip .. so my peer will become the wan interface/ip of router...
secondly can you pelase advise how can i protect the attacks as i know there will be loads of attacks once i give public ip on interface or in my case i will be giving it to loopback hope this will not be an issue...
what is the best practice to protect public ip on router...?
i am using ccp to config vpn .. anything frm you to add here
any idea about the ip 172.30.7.194 which is coming in my config without me giving it .. what exactly is this
05-29-2012 02:04 PM
Hello,
That 172.30.7.194 got to be a peer for a L2L connection!
To protect your Public IP on your router you can use different mechanisms :ACL, ,Control plane protection,Managment plane protection, uRPF,etc) There are so many ways you can protect to this attacks so do not worry for that.
First let's make the VPN tunnel to go up, then you can open another question on the security team and I would be more than glad to help.
Regards,
05-30-2012 12:54 AM
thanks Julio.
sorry m asking the same question again .. do i need two public ips .. as when i am givng the peer ip on loopback and trying to connect ... i am getting some errors... on routing...
when i am doing the nat of internal machine to public ip ... then my tunnel fails .. really m not able to understand what m missing .. do i need to have publich ip on physical interface .. and my internal machine also .. or only on router... i followed this but no getting it ..
please advise.
http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/
my router is 861 .. vlan 1 ip .. 10.10.11.1 gateway for 10.10.11.3 which is my internal machine ...
i have one default route... which points to isp gatewat .. which is a private IP...
i am doing nat of 11.3 ip to public ip ..
please see the screen shot if this gives any idea
05-30-2012 05:17 AM
Good day,
As I understood that your Router that you configured the VPN on it isnot facing the internet and you have another device facing the internet and you did a static NAT on it to redirect the public IP tp you vpn router interface.
- why don't u configured NAT on your VPN router??
As I saw from the show run of your vpn router there is a missing config.
my advice is to configure NAT on this router then create Route MAP to exclude your internal traffic on the both sides.
Let me know if you have points that I didn't understand it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide