Adeel1
Technical User
- Mar 9, 2009
- 1
Hi,
I am not a professional in routing. I have recently archived my CCNA certification but haven't have the experience to establishing a VPN tunnel via CISCO router.
I have configured my CISCO router 1841 with SDM and after some unsuccessful tries I have configured a couple of IPSec site-to-site VPNs with SDM successfully except one.
The one which is not being configured have the following conditions:
Host IP Address: xxx.xxx.xxx.xxx
Local Subnet: xxx.xxx.xxx.xxx/32
Remote Host/IP: ppp.ppp.ppp.ppp
Remote Subnet: rrr.rrr.rrr.rrr/32
Pre-shared Key: ********
IKE Encryption: 3DES
IKE Integrity: MD5
ESP Encryption: 3DES
ESP Integrity: MD5
The problem is, network admin from remote site has said to NAT our local subnet to an IP given by them. By doing this when remote side will receive a request from our side, it will show that the request is coming from the IP given by remote side for NAT. I have established a static NAT for it but still I cannot establish this VPN.
For your assistance, I am pasting my configuration here:
router#show runn
Building configuration...
Current configuration : 2081 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$3AAd$rxySWculvTeXDh1e2RXZP0
!
no aaa new-model
ip cef
!
!
!
!
ip name-server ddd.ddd.ddd.ddd
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********** address ppp.ppp.ppp.ppp
!
!
crypto ipsec transform-set Test_VPN esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toppp.ppp.ppp.ppp
set peer ppp.ppp.ppp.ppp
set transform-set Test_VPN
match address 100
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname nayatel
ppp chap password 7 070B284B471D180B1E135F
ppp pap sent-username nayatel password 7 045F020106354D40001851
crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer0 overload
ip nat inside source static xxx.xxx.xxx.xxx uuu.uuu.uuu.uuu
!
access-list 10 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip host xxx.xxx.xxx.xxx host rrr.rrr.rrr.rrr
dialer-list 1 protocol ip permit
!
!
!
!
Where,
ddd.ddd.ddd.ddd = Our DNS
ppp.ppp.ppp.ppp = Remote Host
xxx.xxx.xxx.xxx = Local Subnet
rrr.rrr.rrr.rrr = Remote Subnet
uuu.uuu.uuu.uuu = The IP other side gave for NAT
Any help in this regard would be highly appreciated.
Thanks in advance,
M. Adeel Bashir
I am not a professional in routing. I have recently archived my CCNA certification but haven't have the experience to establishing a VPN tunnel via CISCO router.
I have configured my CISCO router 1841 with SDM and after some unsuccessful tries I have configured a couple of IPSec site-to-site VPNs with SDM successfully except one.
The one which is not being configured have the following conditions:
Host IP Address: xxx.xxx.xxx.xxx
Local Subnet: xxx.xxx.xxx.xxx/32
Remote Host/IP: ppp.ppp.ppp.ppp
Remote Subnet: rrr.rrr.rrr.rrr/32
Pre-shared Key: ********
IKE Encryption: 3DES
IKE Integrity: MD5
ESP Encryption: 3DES
ESP Integrity: MD5
The problem is, network admin from remote site has said to NAT our local subnet to an IP given by them. By doing this when remote side will receive a request from our side, it will show that the request is coming from the IP given by remote side for NAT. I have established a static NAT for it but still I cannot establish this VPN.
For your assistance, I am pasting my configuration here:
router#show runn
Building configuration...
Current configuration : 2081 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$3AAd$rxySWculvTeXDh1e2RXZP0
!
no aaa new-model
ip cef
!
!
!
!
ip name-server ddd.ddd.ddd.ddd
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********** address ppp.ppp.ppp.ppp
!
!
crypto ipsec transform-set Test_VPN esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toppp.ppp.ppp.ppp
set peer ppp.ppp.ppp.ppp
set transform-set Test_VPN
match address 100
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname nayatel
ppp chap password 7 070B284B471D180B1E135F
ppp pap sent-username nayatel password 7 045F020106354D40001851
crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer0 overload
ip nat inside source static xxx.xxx.xxx.xxx uuu.uuu.uuu.uuu
!
access-list 10 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip host xxx.xxx.xxx.xxx host rrr.rrr.rrr.rrr
dialer-list 1 protocol ip permit
!
!
!
!
Where,
ddd.ddd.ddd.ddd = Our DNS
ppp.ppp.ppp.ppp = Remote Host
xxx.xxx.xxx.xxx = Local Subnet
rrr.rrr.rrr.rrr = Remote Subnet
uuu.uuu.uuu.uuu = The IP other side gave for NAT
Any help in this regard would be highly appreciated.
Thanks in advance,
M. Adeel Bashir