06-08-2015 12:41 PM
Hi everyone and thanks again for the help.
So I have a little lab that I have done for practice purpose.
There is the config:
R520: 100.100.100.3 on fast 4
vlan 75: 192.168.75.0 255.255.255.0
R520W: 100.100.100.4 on fast 4
vlan 75:192.168.55.0 255.255.255.0
Between them are a smal router: 100.100.100.1 (My internet simulated, if I could say so.)
Using CCP I have followed the wizzard to do the site to site between the 2 sr520: tunel have been tested andTunnel is up.
The trick I am struggling with is the data between 192.168.55.x and 192.168.75.x do not pass.
I managed to get a icmp and other to pass using the ACL.
The thing I don't understand is why Data is not allow by default from the start to be able to pass from one network to the other.
What I am guessing is that I do something wrong from the start. If I try to do ping or other things I got this message from the console:
drop action found in policy-map with ip ident 0
same goes from 100.100.100.3 to 192.168.55.x and 100.100.100.4 192.168.75.x
I have found that this is my firewall that block the data from going around, but I have done everything and allow traffic between the 2 network.
I it is slowly going on work as I allow icmp and other protocol to pass trough.
Is there any best practice to follow so I won't get into this trouble? Is there a way to clearly indicate from the begining what I want to do with the site to site so ALL Data will flow without any issue?
If you need I would post the config.
Thanks!
06-08-2015 07:26 PM
Hi,
Make sure you have routes between the networks.
If you're using CCP, try the testing tool under VPN->Site to Site->Edit->Test Tunnel
It should kick out an error if you're missing routes.
One thing to remember, even though it asks you during the VPN wizard to name the source and destination networks (your 192.168.55.0/24 and .75.0/24 networks) it doesn't create a route for them. You still need OSPF or EIGRP or a static route or something in there to tell your router where to send those packets. The VPN just says to itself, "oh, wait a sec, this source... this destination, I'm supposed to encrypt these packets."
Here's my running config from GNS3 on one of the routes (the 172.16 network is my loopback for connecting CCP.)
The last line about ACLs might be throwing you off. Remember, ACLs are for more than just access control. In this case, they're there to tell the VPN connection which traffic it's supposed to encrypt. They're not there to drop packets. To do that they would need to be applied to an interface, e.g. from interface config : # ip access-group 100 [in | out]
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 100.100.100.4
!
!
crypto ipsec transform-set IPSEC_SET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to100.100.100.4
set peer 100.100.100.4
set transform-set IPSEC_SET
match address 100
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.75.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 100.100.100.3 255.255.255.0
negotiation auto
crypto map SDM_CMAP_1
!
router ospf 1
log-adjacency-changes
network 100.100.100.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 4
network 192.168.75.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.75.0 0.0.0.255 192.168.55.0 0.0.0.255
06-10-2015 06:22 AM
Alright thanks for the quick anwser, I'll crunch this and get back to you as quickly as I can.
06-10-2015 12:48 PM
Alright, I have chage the number a bit but it's still the same:
R1 vlan 75: 192.168.70.0 Inside
Fast 4 100.100.100.3 outside
r2 BVI 75 : 192.168.75.0 Inside
Fast 4 100.100.100.4 Outside
It seem that A VPN cannot be routed from vlan to bvi interface.
I have tried to reset and factory default the r2 to have vlan to vlan without any success...
You told me that the vpn only allow data encryption from one point to another, but that the route should be in place first. In a way I have 2 renforced steel door floating around between them. Exact?
So I should first pave the way and then build my vpn, is this correct?
Any tips around the BVI problem?
ACL:
There is ACL for the NAT and ACL for the Tunnel.
The ACL for the tunnel should allow the traffic between my 2 private address.
The ACL for the NAT should deny the traffic.
Correct?
I don't understand and find confusing the NAT here. I have tried to find some infos but nothing clear and simple. I'm sure that if I allow nat traffic my VPN won't work too, so I need to get rid of understanding NAT. Any tips?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide