12-21-2008 11:45 AM
Hi,
I am trying to set up a site to site VPN from a remote office to a central HQ. In the central HQ, the IP is xx.60.101.154. In the remote office the IP is xx.8.140.226. I want the remote office to have an IP scheme of 192.168.3.0. The VPN would tunnel traffic going to 10.1.1.0 (the scheme of the central HQ). I am working on this but was wondering if any of you could take a look at my config. To test I have to go to the office, so I want as much analysis as possible. Your help would be very very appreciated. Below is the config of the remote site router. The central site is probably fine as it was previously supporting a VPN from the remote site. Tell me if you need that config.
SR520#show running-config
Building configuration...
Current configuration : 3133 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SR520
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 xxxxxxxxxx
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp pool inside
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
ip cef
ip name-server 10.1.1.10
no ipv6 cef
multilink bundle-name authenticated
username xxx privilege 15 secret 5 xxx
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxx address xx.60.101.154
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map companion local-address FastEthernet4
crypto map companion 1 ipsec-isakmp
set peer xx.60.101.154
set transform-set ESP-3DES-MD5
match address 111
archive
log config
hidekeys
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
zone-pair security sdm-zp-out-in source out-zone destination in-zone
zone-pair security sdm-zp-out-self source out-zone destination self
zone-pair security sdm-zp-in-out source in-zone destination out-zone
interface FastEthernet0
switchport access vlan 75
interface FastEthernet1
switchport access vlan 75
interface FastEthernet2
switchport access vlan 75
interface FastEthernet3
switchport access vlan 75
interface FastEthernet4
description $FW_OUTSIDE$
ip address xx.8.140.226 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map companion
interface Vlan1
no ip address
interface Vlan75
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.8.140.225
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 remark allow all traffic out of the router
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xx.8.140.224 0.0.0.7 any
access-list 111 permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255
control-plane
banner login ^CSR520 Base Config - MFG 1.0 ^C
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Solved! Go to Solution.
12-21-2008 09:07 PM
Chris,
You need to remove the below lines from the configuration:
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.3.0 0.0.0.255
Other than the above, you should be all set to test the tunnel. If you have issues bringing up the tunnel, do post the outputs of "deb cry is" and "deb cry ips", show cry is sa and show cry ipsec sa from the router.
Regards,
Arul
*Pls rate all helpful posts*
12-21-2008 02:04 PM
Chris,
Your Spoke configuration looks good except the NAT Portion.
You need to bypass NAT for the IPSEC Traffic.
Example:
access-list 130 deny ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 192.168.3.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
ip nat inside source route-map nonat interface fa4 overload
Regards,
Arul
*Pls rate all helpful posts*
12-21-2008 04:19 PM
12-21-2008 09:07 PM
Chris,
You need to remove the below lines from the configuration:
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.3.0 0.0.0.255
Other than the above, you should be all set to test the tunnel. If you have issues bringing up the tunnel, do post the outputs of "deb cry is" and "deb cry ips", show cry is sa and show cry ipsec sa from the router.
Regards,
Arul
*Pls rate all helpful posts*
12-22-2008 09:59 AM
Arul,
I took care of these changes. I atttached the newest config. I tried it last night without the above changes, and I was surprised I couldn't ping the gateway from the inside. I could ping the outside interface but not the gateway. I read I might need a statement:
access-list 100 permit udp any host xx.8.140.226 eq 500
access-list 100 premit esp any host xx.8.140.226
access-list 100 permit gre any host xx.8.140.226
That isn't needed to allow the tunnel in?
12-22-2008 08:12 PM
I just tried it. I attached the reports you wanted.
I tried it out and I can't ping the gateway or anything else from a computer inside the network. I can ping xx.8.140.226 but not xx.8.140.225 or anything else out of the network beyond the gateway. I get an IP fine, and can ping the router, just not through it.
From logged into the router itself I can ping everywhere outside the network fine.
12-22-2008 08:54 PM
Oh wait. My zone pairs were messed up. I fixed them and it actually works good. The VPN tunnel is up and I can connect to the internet fine from behind it. I'm just going to spend one more day looking at the settings, then put it into production shortly. Thanks for all the help.
12-22-2008 09:34 PM
Chris,
Glad to be of help. Please do update the forum on the results from your prod deployment.
Regards,
Arul
01-04-2009 03:36 PM
Hi,
I installed the remote site router and the VPN seems to work well. I did have to add DNS to the DHCP, but that was easy. One thing I can't figure out though, is pinging. From the central site, I can't ping the remote site's internal IP addresses, or the remote site router itself at 192.168.3.1. From the remote site, I can ping the central site's IP's just fine.
I attached the newest config. Basically, I can't ping from the central site into the remote site, or even ping the remote site's public IP from the internet. I think this might have to do with the firewall but I'm not sure, it could be NAT. If you know what is wrong please let me know. I started a new post in the Security section:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide