05-31-2010 01:29 PM
I would like to setup Site-To-Site VPN using Cisco 871 models on both ends but having a hard time to configure it. Can anyone tell me how to do this or if you know any link that can help me setup as soon as possible?
I can learn this but it is the timing that prohibits me in making it work. The other end is already configured to provide Internet access to all users.
Solved! Go to Solution.
05-31-2010 07:38 PM
Tom,
########################################################################################
Router 1 VPN config:
Internal = 10.0.0.0/24
Public = 196.1.161.65
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
ip nat inside source list 102 in interface (check the outside interface's name) overload
crypto isakmp policy 10
encryption 3des
hash sha
group 2
crypto isakmp key cisco123 address 196.1.161.66
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101
interface (check the inside interface's name)
ip nat inside
interface (check the outside interface's name)
ip nat outside
crypto map mymap
########################################################################################
Router 2 VPN config:
Internal = 10.193.12.0/22
Public = 196.1.161.66
access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any
ip nat inside source list 102 in interface fast4 overload
crypto isakmp policy 10
encryption 3des
hash sha
group 2
crypto isakmp key cisco123 address 196.1.161.65
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101
interface vlan1
ip nat inside
interface fast4
ip nat outside
crypto map mymap
########################################################################################
The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.
Federico.
06-02-2010 11:07 AM
Tom,
You want to be able to RDP to 10.193.12.17 from the other side?
If the tunnel is not configured yet, then an easy way to do this is to configure a port redirection for port 3389 on the router.
On the 196.1.65.54 Cisco router
ip nat inside source static tcp 10.193.12.17 3389 196.1.65.54 3389
In this way, when you connect via RDP to the router (196.1.65.54), the router will redirect this connection to the internal RDP server (10.193.12.17).
Is this what you're looking for?
Federico.
05-31-2010 01:35 PM
Hi Tom,
Definitely you can configure a Site-to-Site VPN between two 871s (assuming that both routers are running a crypto image).
You can do it via CLI, but if you have SDM on the routers, its easier (I believe that you can follow the VPN wizard).
Federico.
05-31-2010 01:46 PM
Thanks the quick response.
Yes I am aware that it can be done and I am up for the challenge but the urgency of the work is what is important now and I don't want to mess up the currently running router used as a gateway in the other end.
I have done it with other brands but this is new to me and a walkthrough will be very beneficial. I am currently trying to understand how the CLI and commands work.
If you will be so kind to guide me through the steps then I will really appreciate it.
05-31-2010 01:58 PM
Tom,
Router A
access-list 177 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
encry aes
hash sha
group 2
crypto isakmp key
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer x.x.x.x --> public IP of the remote 871
set transform-set myset
match address 177
interface (internet-facing)
crypto map mymap
Important notes:
The configuration on the other router has to be a mirror of this configuration.
Make sure there's not an ACL 177 already in the configuration.
If you're doing NAT on these routers we need additional commands.
Let me know.
Federico.
05-31-2010 02:03 PM
I think that is actually I need but to ensure I am not gonna mess anything, can you tell me how to check if it is using NAT?
Thanks again for a very quick response.
05-31-2010 02:05 PM
Tom,
sh run | i ip nat
Will show you if there's NAT configuration or not.
Are both routers connected to the Internet and with public IP addresses?
Federico.
05-31-2010 02:15 PM
Yes both routers are connected to the Internet and have separate IP Public addresses.
Here is the result of the NAT check
ip nat outside
ip nat inside
ip nat inside source list 1 interface FastEthernet4 overload
05-31-2010 02:21 PM
Besides the commands that I sent you, you should add:
access-list 178 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.1.1.0 0.0.0.255 any
no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload
Notes:
I am assuming that the internal LAN on this side is 10.1.1.0/24 and the remote LAN is 192.168.1.0/24
You should change those network statements with the correct addressing sheme.
Also,
I removed your current NAT statement to include an extended ACL to allow to bypass NAT.
The crypto map will be applied to Fast4
If you want, you can send me your current configuration.
Federico.
05-31-2010 02:31 PM
Sure. Can you tell me how can I grab the current configuration and send it to you?
Sorry was just caught in a big mess that I need to make it work.
05-31-2010 02:34 PM
The easiest way is to do a ''sh run'' on the CLI and copy/paste the output in a notepad (make sure is the entire output, press the space bar until you get the router prompt again).
Federico.
05-31-2010 02:43 PM
Here is the configuration of the router... the other router we can do what ever we wanted to it it does not contain anything.
What I wanted to do is have Site-To-Site VPN that will allow both ends to communicate with their assigned IPs.
Allow Router configuration from the Internet because I need to manage it remotely once configured. Those routers will be located to separate islands.
Allow DNS to flow out/forward queries coming from 10.193.12.100
Allow DNS to flow out/forward queries from 10.193.12.101
Allow 10.193.12.198 unlimited access to the Internet
User Access Verification
Password:
Server02#show run
Building configuration...
Current configuration : 4316 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Server02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$NKNq$1KTpsasdfsfdsSERFsfdseSe5.
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2276149109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2276149109
revocation-check none
rsakeypair TP-self-signed-2276149109
!
!
crypto pki certificate chain TP-self-signed-2276149109
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323736 31343931 3039301E 170D3130 30353132 31323532
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373631
34393130 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008C19 43A8D740 94252E45 60867050 62F402B6 0F36F802 8053A5FB FB6DB801
7BBA64E8 1A13F069 5449F6C9 A68F45B9 174A75E8 77051A80 B397491E EF2DECBF
E60BEDF8 5B600DB0 A88A6C41 61122B5F BAAE3EEE F987B384 D86EE845 95F69A77
C3B381BD 84EC9A69 4678D6D4 2F805C1D 65D63987 88F15B87 E79E82E1 D0F17619
quit
ip cef
!
!
!
!
no ip domain lookup
ip domain name thecarenage.com
ip name-server 205.214.192.201
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$RJej$kJiDpmp6aslksdjfsdjUHHkhss.
username admin privilege 15 secret 5 $1$wsdfHyus7Hfdlsknd&jjlewU7snfnwG,
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.1.161.102 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.193.12.73 255.255.252.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
network 10.0.0.0
network 196.1.161.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.1.161.97
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended test
permit tcp host 10.193.15.169 host 196.1.161.97
permit ip host 10.193.15.169 host 196.1.161.97
permit tcp host 10.193.12.100 host 196.1.161.97
!
access-list 1 permit 10.193.15.198
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege l
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK STAR
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
scheduler max-task-time 5000
end
05-31-2010 03:09 PM
access-list 177 permit ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255 --> change for remote LAN
access-list 178 deny ip 10.193.12.73 0.0.3.255 192.168.1.0 0.0.0.255
access-list 178 permit ip 10.193.12.73 0.0.3.255 any
no ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 178 interface FastEthernet4 overload
crypto isakmp policy 10
encry aes
hash sha
group 2
crypto isakmp key
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer x.x.x.x --> public IP of the remote 871
set transform-set myset
match address 177
interface fast4
crypto map mymap
This is for the VPN configuration.
Federico.
05-31-2010 04:16 PM
Thanks Federico.
Here's what to do specifically.
LAN (10.0.0.0/24) --> Router1 (196.1.161.65) <------------Internet VPN------------------->Router2(196.1.161.66) <-------- LAN (10.193.12.0/22)
So if you can tell me the configuration of each then I will really appreciate it.
Router1 VPN config
blah
blah
blah
Router2 VPN Config (I'm assuming the previous configuration you sent is for this one? This the router that I don't want to lose any current configuration.)
blah
blah
blah
Thank you for your help and really appreciate the support.
05-31-2010 07:38 PM
Tom,
########################################################################################
Router 1 VPN config:
Internal = 10.0.0.0/24
Public = 196.1.161.65
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
ip nat inside source list 102 in interface (check the outside interface's name) overload
crypto isakmp policy 10
encryption 3des
hash sha
group 2
crypto isakmp key cisco123 address 196.1.161.66
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.66
set transform-set myset
match address 101
interface (check the inside interface's name)
ip nat inside
interface (check the outside interface's name)
ip nat outside
crypto map mymap
########################################################################################
Router 2 VPN config:
Internal = 10.193.12.0/22
Public = 196.1.161.66
access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.193.12.0 0.0.3.255 any
ip nat inside source list 102 in interface fast4 overload
crypto isakmp policy 10
encryption 3des
hash sha
group 2
crypto isakmp key cisco123 address 196.1.161.65
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 196.1.161.65
set transform-set myset
match address 101
interface vlan1
ip nat inside
interface fast4
ip nat outside
crypto map mymap
########################################################################################
The above is a configuration example.
It is always recommended to change the pre-shared-key to something else.
Federico.
06-01-2010 01:33 PM
Thanks a lot Federico.
I will try to configure tomorrow and I'm sure it will work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide