10-07-2010 01:56 AM
Hi all,
I have a question regarding VPN (lan-to-lan).
My setup is following:
10.1.20.x------[PIX515e_central site VPN concetrator]---------(( ISP ))---------[LINKSYS router BEFSX41]----------[Cisco1712_branch]-------192.168.14.x
I would like to create VPN tunnel between C1712 and PIX515 (lan-to-lan), so the users from 192.168.14.x would be able to connect to servers located on central site in 10.1.20.x network.
NAT-T is manualy enabled on PIX and "IPsec passtrough" is enabled on Linksys router. So what should I do now to create a VPN tunnel?
What would be the basic configuration on C1712 and PIX515e to make this work?
All other (8) branches work, but they are directly connected to internet via C1712, so without Linksys router infront of it. So, PIX is already properly configured for such setup.
I assume the setup with Linksys router does not work because of PAT.
PIX Version 6.3(4)
C1712 Version 12.4
Please advise!
Thank a lot in advance!
Solved! Go to Solution.
10-07-2010 11:24 PM
This line is incorrect on the router configuration:
ip nat inside source list 6 interface FastEthernet0 overload
Please remove it and change it to:
ip nat inside source list 101 interface FastEthernet0 overload
Hope that resolves the issue.
10-07-2010 02:14 AM
Here is a sample configuration for LAN-to-LAN VPN tunnel between PIX and IOS router for your reference:
Hope that helps.
10-07-2010 03:14 AM
Thank you for reply.
I will look into that document.
But can Linksys router be a problem for my setup?
The problem is, that I cannot connect onto it, because it is administered by another company, so I cannot check debug info.
How can I check debuging on C1712?
I tried debug crypto ipsec, debug crypto isakmp + term mon, but nothing comes up. I also tried on console cable.
If I chech show crpyto session it says DOWN.
10-07-2010 03:18 AM
Assuming that you have configured the VPN portion on both the C1712 and PIX firewall, you would need to initiate the tunnel by sending interesting traffic between subnet configured (your crypto ACL subnets) as the router will not automatically initiate the traffic without any interesting traffic through it.
What does the output of the following shows:
show cry isa sa
show cry ipsec sa
If both are blank, that means you haven't initiated/sent traffic between the 2 subnets yet.
10-07-2010 03:47 AM
They are both blank which is strange, because I tried to ping hosts on network 10.1.20.x
I have also tried to connect to 10.1.20.12:80
/edit Update
10-07-2010 04:32 AM
Can you share the configuration from both C1712 and PIX?
10-07-2010 05:23 AM
C1712 conf:
=================
Current configuration : 3176 bytes
!
! Last configuration change at 11:24:44 UTC Wed Oct 6 2010
! NVRAM config last updated at 11:34:10 UTC Wed Oct 6 2010
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xx
!
boot-start-marker
boot-end-marker
!
logging buffered 512000 informational
enable password 7 071B201F1B5F5D
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.14.1 192.168.14.220
!
ip dhcp pool ip_pool
network 192.168.14.0 255.255.255.0
domain-name xx
dns-server 1xxxx
default-router 192.168.91.3
!
!
!
!
!
!
username ta_2651xm_gkv password 7 111D185642444F
username ibm privilege 15 password 7 044F0E151B2D4D4C
!
!
ip ssh rsa keypair-name C1712
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key taljpdc14 address xxxxx
!
!
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec nat-transparency spi-matching
!
crypto map cmap_lj 1 ipsec-isakmp
description tunnel to ljubljana
set peer xxxxx
set security-association lifetime seconds 28800
set transform-set esp-3des-md5
set pfs group2
match address 100
!
!
!
interface Loopback0
ip address 172.31.0.30 255.255.255.255
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description to ADSL modem
ip address 192.168.91.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map cmap_lj
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
no ip address
!
interface Dialer1
no ip address
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.91.2
!
ip http server
no ip http secure-server
ip nat inside source list 6 interface FastEthernet0 overload
!
ip access-list extended adsl_in
permit ip host xxxxxx any
permit ip any any
!
access-list 1 remark ta_lj_pdc_lan
access-list 1 permit 192.168.14.0 0.0.0.255
access-list 6 permit 192.168.14.0 0.0.0.255
access-list 50 permit 10.1.20.0 0.0.0.255
access-list 50 permit 192.168.91.0 0.0.0.255
access-list 100 remark IPSec rule - crypto map
access-list 100 permit ip 192.168.14.0 0.0.0.255 10.1.20.0 0.0.0.255
access-list 100 permit ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark NAT rule - exempted
access-list 101 deny ip 192.168.14.0 0.0.0.255 10.1.20.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 172.29.1.0 0.0.0.255
access-list 101 permit ip 192.168.14.0 0.0.0.255 any
route-map nat_rmap permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 50 in
exec-timeout 60 0
password 7 051F075C741A0A
login
!
ntp clock-period 17180093
ntp server xxxxxx source FastEthernet0
end
10-07-2010 11:24 PM
This line is incorrect on the router configuration:
ip nat inside source list 6 interface FastEthernet0 overload
Please remove it and change it to:
ip nat inside source list 101 interface FastEthernet0 overload
Hope that resolves the issue.
10-11-2010 01:26 AM
Hi,
I tried your solution, but did not work...
Any onther suggestions?
Thank you!
10-11-2010 02:37 AM
How did you test it? Can you please try to ping the router vlan 1 ip address from a host behind PIX? Please advise what ip address you are trying to ping to and from.
Also share the output of:
show cry isa sa
show cry ipsec sa
from the router.
10-11-2010 04:30 AM
I am trying to ping 10.1.20.12. This is the web server behind pix. I tried to connect to port 80 via browser.
I will share those files as soon as I get them.
/edit
Also, I cannot ping from router behind PIX, because I do not have access.
10-13-2010 05:11 AM
Hi,
here is the output:
ta_lj_pdc#show crypto ipsec sa
interface: FastEthernet0
Crypto map tag: cmap_lj, local addr 192.168.91.3
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.0/255.255.255.0/0/0)
current_peer 1xx.1xx.xxx.xx8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.91.3, remote crypto endpt.: 1xx.189.xxx.x8
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 1xx.xxx.xxx.xx8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.91.3, remote crypto endpt.: 19x.1xx.1xx.x8
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
=====================================
ta_lj_pdc#show crypto isakmp sa
dst src state conn-id slot status
10-14-2010 03:37 AM
Got it working now!! :-)
I forgot to ping to remote server from VLAN1 interface to initiate tunnel.
Tunnel is now up and running.
Only one more question - why are there 2 same tunnels?
ta_lj_pdc#show crypto isakmp sa
dst src state conn-id slot status
193.xxx.xxx.xx8 192.168.91.3 QM_IDLE 5 0 ACTIVE
193.xxx.xxx.xx8 192.168.91.3 QM_IDLE 4 0 ACTIVE
10-14-2010 04:31 AM
Excellent news.
The 2 connections for ISAKMP might be there during rekey. I won't worry about that as it doesn't really matter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide