|
Posted by on June 23, 2006, 1:43 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Good afternoon,
My company is having some issues deploying a site to site VPN. It's
been a rather tricky configuration, as we're connecting to a stock
exchange, and they expect the IP's to be in a 10.74.74.0/24 address
range, and our systems are actually 192.168.254.0/24 range. So, we
need to NAT our addresses to the 10.74.74.0/24 range on the router and
then send them across the network. This seems simple, at least in
concept. I'm a CCNA, had a good deal of experience working with client
to site VPN's and a lot of router/switch configuration - is this
something that I should know, or (as it's my belief) this is something
at the CCSP/CCNP level, due to the complication of it? Guess that's a
judgement call.
Regardless, if someone could help point me in the right direction, I'd
greatly appreciate it. You'd be my best friend, at least for some
period of time. :)
- John C. Young
jcy@nevermind.org
Seems simple enough:
cisco-1841-01#sh ip nat translations
Pro Inside global Inside local Outside local
Outside global
--- 10.74.74.74 192.168.254.254 --- ---
cisco-1841-01#
Here's the contents of a 'sh run', followed by the info on the VPN
Tunnel [IPSEC and ISAKMP are both up, yet Tunnel0 remains down, as
shown by the showing of the interfaces.
Current configuration : 3138 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-1841-01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name greenlinetech.com
ip multicast-routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username jyoung privilege 15 secret 5 $1$Ot0B$uIumFEaZYFnZZzxNYS9D4/
username gschuetz privilege 15 secret 5 $1$HnQY$hi./nAA/8ZWpedcl3e2o7/
username sysadmin privilege 15 secret 5 $1$GdJO$IeI8BBpxK8kYusxsMzPQQ.
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXX address THEIROUTSIDEIP
!
!
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
!
crypto map cmevpn 1 ipsec-isakmp
set peer THEIROUTSIDEIP
set transform-set cmevpn
match address 100
!
!
!
!
interface Tunnel0
description CME Tunnel
ip address 10.74.2.1 255.255.255.252
ip pim sparse-mode
tunnel source 10.74.0.74
tunnel destination 10.74.254.1
!
interface Loopback0
ip address 10.74.0.74 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description Inside Interface
ip address 192.168.254.254 255.255.255.0
ip pim sparse-mode
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Outside Interface
ip address OUROUTSIDEIP 255.255.255.240
ip access-group 199 in
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
crypto map cmevpn
!
ip classless
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip pim rp-address 10.71.0.5
ip mroute 10.71.0.0 255.255.255.0 Tunnel0
ip nat pool cmevpn 10.74.74.74 10.74.74.74 netmask 255.255.255.0
ip nat inside source static network 192.168.254.254 10.74.74.74 /32
ip nat outside source list cmevpn pool test
!
access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.56.0 0.0.0.255
access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 100 permit gre host 10.74.0.74 host 10.74.254.1
access-list 100 permit ip 192.168.254.0 0.0.0.255 any
access-list 199 permit ip 10.1.16.0 0.0.0.255 10.74.74.0 0.0.0.255
access-list 199 permit ip 10.1.56.0 0.0.0.255 10.74.74.0 0.0.0.255
access-list 199 permit ip 10.1.63.0 0.0.0.255 10.74.74.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit ahp any any
access-list 199 permit esp any any
access-list 199 permit gre host 10.74.254.1 host 10.74.0.74
!
route-map cmevpn permit 100
match ip address 100
!
route-map cmevpn permit 199
match ip address 199
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
The show interfaces:
cisco-1841-01#sh int
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is 0017.e02e.3ba4 (bia 0017.e02e.3ba4)
Description: Inside Interface
Internet address is 192.168.254.254/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 7000 bits/sec, 7 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
729009 packets input, 85469439 bytes
Received 644978 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
90543 packets output, 6766004 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet0/1 is up, line protocol is up
Hardware is Gt96k FE, address is 0017.e02e.3ba5 (bia 0017.e02e.3ba5)
Description: Outside Interface
Internet address is OUROUTSIDEIP
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
13480 packets input, 2711209 bytes
Received 4744 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
10303 packets output, 1094122 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
NVI0 is up, line protocol is up
Hardware is NVI
MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 10.74.0.74/32
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Last input 15:57:08, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
8 packets output, 564 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Tunnel0 is up, line protocol is down
Hardware is Tunnel
Description: CME Tunnel
Internet address is 10.74.2.1/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.74.0.74, destination 10.74.254.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
The VPN Tunnel appears to be up:
cisco-1841-01#sh crypto isakmp sa
dst src state conn-id slot status
OUROUTSIDEIPHERE CONNECTINGIPHERE MM_SA_SETUP 222 0 ACTIVE
OUROUTSIDEIPHERE CONNECTINGIPHERE MM_NO_STATE 221 0 ACTIVE (deleted)
cisco-1841-01#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: cmevpn, local addr OUROUTSIDEIPHERE
protected vrf: (none)
local ident (addr/mask/prot/port): (10.74.0.74/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.74.254.1/255.255.255.255/47/0)
current_peer CONNECTINGIPHERE port 500
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer THEIRIPHERE port 500
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.16.0/255.255.255.0/0/0)
current_peer THEIRIPHERE port 500
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.56.0/255.255.255.0/0/0)
current_peer THEIRIPHERE port 500
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress fa
iled: 0
#send errors 0, #recv errors 0
local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.63.0/255.255.255.0/0/0)
current_peer 64.125.177.134 port 500
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 4.79.65.37, remote crypto endpt.: THEIRIPHERE
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
|
|
Posted by Walter Roberson on June 23, 2006, 4:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>My company is having some issues deploying a site to site VPN. It's
>been a rather tricky configuration, as we're connecting to a stock
>exchange, and they expect the IP's to be in a 10.74.74.0/24 address
>range, and our systems are actually 192.168.254.0/24 range. So, we
>need to NAT our addresses to the 10.74.74.0/24 range on the router and
>then send them across the network. This seems simple, at least in
>concept.
I haven't configured something like that on IOS, but I've done
it a couple of different ways with a PIX.
Before I describe or reference the techniques, some important questions:
1) what the destination IP range is that you have to address in order
to communicate with their hosts? (If it is the same 10.74.74/24
address range that they expect you to map into, then things get more
complicated.)
2) Which sides need to be able to open new connections to the other?
3) Do you need 1-to-1 address translation as you go across the link,
so that they can (for authentication or logging reasons) distinguish
your various systems? Or is it acceptable for all of your machines
to appear to them to be one IP? Or [cf #2] do they need to be able
to directly access a small number of your machines and as far as they
are concerned, the rest can all look like one IP ?
|
| Similar Threads | Posted | | Site to Site VPN OK Call Manager Express tftp issues over VPN ? | October 16, 2007, 4:46 am |
| Site to Site VPN routing - Cisco 1841 to Nortel VPN Router 1010 | September 21, 2007, 1:46 pm |
| Vpn site to site + vpn cisco client access list problem. | August 7, 2006, 10:35 am |
| I want to create Site to Site VPN with Cisco PIX501 and Linksys RV082 | September 10, 2007, 3:46 am |
| Site to Site VPN error on Cisco ASA5500 and router 1800 | January 4, 2008, 1:55 pm |
| VPN site-to-site betweem Cisco 1841 and SonicWall 170 | January 2, 2006, 10:04 am |
| VPN Site To Site between a Cisco 831 and a bintec X1200 | October 27, 2005, 10:45 am |
| VPN Site To Site between a Cisco 831 and a bintec X1200 | October 27, 2005, 10:45 am |
| VPN Site To Site between a Cisco 831 and a bintec X1200 | October 27, 2005, 10:45 am |
| How to Configure Site-to-Site VPN in Cisco Routers | May 2, 2007, 5:09 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map