Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New VPC to cooperation comany via HUB 1

Status
Not open for further replies.
ngtri

ngtri

Programmer
Dec 7, 2004
53
NO
Hello

My comany has 5 cisco routers
2 cisco 2901 at the main offices, is called HUB1 and HUB2 , running redundancy and all traffic goes via HUB1
3 cisco881 at the branch offices) and VPN to HUB 1 and HUB 2

My company cooperates with the another company now and all klients from the main and branch offices must have VPN to the the cooperation company via the HUB1.

VPN between the main and branch offices are working, but not VPN to the cooperation company via the HUB 1.
Hope someone can help. Thanks


I got information about VPN, IPsec, Protocoll... from the cooperation company:
------------------------------------------------------------------------------------
Network Parameters
Public IP (not RFC1918)
8.9.16.24

Key Exchange:IKE
IKE Lifetime (Phase 1)
28800 seconds
IPSEC Lifetime (Phase 2)
3600 seconds

Phase I
Exchange Mode Main
Encryption AES 256
Hash SHA1
Key Group Diffie-Hellman
Group 2
Pre-Shared Key
key key
Phase II
Encryption 3DES
Hash SHA1
Key Group Diffie-Hellman
Group 2
Protocol Type ESP
Exchange Mode Tunnel
PFS Not Supported / inactive

Encryption Domains161.27.56.86 and 161.27.57.86
10.30.57.0/24

Firewall rules
DCS connection
DNS Name IP Address TCPIP-Port
pro1.test.test.net 16.27.56.86/32 TCPIP-Port:10572
pro2test.test.net 161.27.57.86/32 TCPIP-Port:10572
-------------------------------------------------------------------------------------------------------------------

Below is a cisco 2901 conf at the HUB 1 and VPN to the cooperation company. VPN to the cooperation company is not working
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 100.0.0.1 100.0.0.100 ## the HUB 1 and HU B2 uses the same subnet
ip dhcp excluded-address 100.0.2.0 100.0.3.253
!
ip dhcp pool MY_Company
network 100.1.0.0 255.255.252.0
default-router 100.1.3.254
dns-server 100.1.0.10 100.0.2.10
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 100.0.0.10
!
multilink bundle-name authenticated
!
!
!

!
!
username **** password *******
!
redundancy
!
!
!
track 1 interface GigabitEthernet0/0 line-protocol
!
class-map type inspect match-any inside-outside-cmap
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any outside-inside-cmap
match access-group 110
!
!
policy-map type inspect inside-outside-pmap
class type inspect inside-outside-cmap
inspect
class class-default
drop
policy-map type inspect outside-inside-pmap
class type inspect outside-inside-cmap
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-pmap
zone-pair security outside-inside source outside destination inside
service-policy type inspect outside-inside-pmap
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ****** address 8.9.16.24 ## Public IP at the cooperation company
crypto isakmp key ****** address 0.0.0.0 0.0.0.0 ## VPN for the main and branch offices
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set VPN_TEST esp-3des esp-sha-hmac ## the cooperation company
!
crypto ipsec profile My_Company
set security-association lifetime seconds 900
set transform-set strong
!
crypto ipsec profile other_company_ipsec ## the cooperation company
set transform-set VPN_Other_Company
!
!
crypto map VPN_MAP 20 ipsec-isakmp ## the cooperation company
set peer 8.9.16.24
set transform-set VPN_TEST
match address VPN-other_company-interesting
reverse-route
!
!
!
!
!
interface Tunnel0
description Schwgt15
ip address 192.168.10.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nat inside
ip nhrp authentication key
ip nhrp map multicast dynamic
ip nhrp map 192.168.10.3 8.21.5.15
ip nhrp map multicast 8.21.5.15
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 192.168.10.3
ip virtual-reassembly
zone-member security inside
no ip route-cache cef
no ip split-horizon
ip ospf network broadcast
ip ospf priority 255
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile My_Company
!
!
interface GigabitEthernet0/0
description ***Outside***
ip address 19.20.9.9 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
crypto map VPN_MAP ## the cooperation company
!
!
interface GigabitEthernet0/1
description ***Inside***$ES_LAN$
ip address 100.0.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly
zone-member security inside
duplex auto
speed auto
standby 1 ip 100.0.3.254
standby 1 preempt
standby 1 track 1 decrement 95
!
!
router ospf 1
router-id 192.168.10.201
log-adjacency-changes
area 1 stub no-summary
redistribute static
network 100.0.0.0 0.0.3.255 area 1
network 192.168.10.0 0.0.0.255 area 1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
## the cooperation company
ip nat pool other_company_pool 10.30.57.1 10.30.57.254 netmask 255.255.255.0
ip nat inside source list ACL-NAT interface GigabitEthernet0/0 overload
ip nat inside source list ACL-POLICY-NAT pool other_company_pool overload
ip route 0.0.0.0 0.0.0.0 8.9.16.24

ip route 0.0.0.0 0.0.0.0 19.20.9.8


!## the cooperation company
ip access-list extended ACL-NAT
deny ip 100.0.0.0 0.255.255.255 10.30.57.0 0.0.0.255
permit ip 100.0.0.0 0.255.255.255 any
ip access-list extended ACL-POLICY-NAT
permit ip 100.0.0.0 0.255.255.255 10.30.49.57 0.0.0.255
ip access-list extended VPN-other_company-interesting
permit ip 100.10.0.0 0.255.255.255 10.30.49.57 0.0.0.255
deny ip 100.0.0.0 0.255.255.255 any

!
access-list 23 permit 100.0.0.0 0.255.255.255
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 101 permit ip 100.0.0.0 0.0.1.255 any
access-list 110 permit tcp host 19.20.9.9 any eq www
!
-----------------------------------------------------------------

Regards

Tri
 
Sort by date Sort by votes

Could not ping 161.27.56.86 and 161.27.57.86. It means that VPN to the cooperation does not work.

Hope someone can help. Thanks
 
Upvote 0 Downvote
hello
Run command: show crypto session and status is DOWN (to cooperation company). Why? Please help!

Regards

Tri
 
Upvote 0 Downvote
Is this your address that connects to the cooperation company?
ip address 19.20.9.9

WHat is their IP address?
Can you ping it?
Where is your route to get to them?
 
Upvote 0 Downvote
Hello

Thanks your answer

This is cooperation company IP: 8.9.16.24
Yes. I ping this 8.9.16.24.

Can not ping the hosts 161.27.56.86/32 TCPIP-Port:10572 and 161.27.57.86/32 TCPIP-Port:10572

ip route 0.0.0.0 0.0.0.0 8.9.16.24 (to the cooperation)

This is our WAN IP: ip address 19.20.9.9 and Gateway: ip address 19.20.9.8

Regards

Tri
 
Upvote 0 Downvote
OK, now correct me if I'm wrong, but you should have
- your default route pointing at your WAN provider
- a specific route for your cooperation company subnet(s) pointing at your tunnel interface.

SO, I would replace this one
ip route 0.0.0.0 0.0.0.0 8.9.16.24
 
Upvote 0 Downvote
Hello

Yes. I also tried to remove ip route 0.0.0.0 0.0.0.0 8.9.16.24, but it did not help.

1) Encryption Domains: 161.27.56.86 and 161.27.57.86
Do I need to make domamin route to the hosts? and how ?

2)The techinal support at the cooperation company told me that I just need to change VPN against peer our WAN IP. Why?

3)It is necessary because the cooperation company allows only 10.30.57.0/24 subnet as the source.
Thus, all traffic going to the cooperation company`s source NAT with this subnet:
ip nat pool other_company_pool 10.30.57.1 10.30.57.254

4) Two NAT'ing rules:
ACL POLICY-NAT - defines everything that goes against the cooperation subnet subnet
ip nat inside source list ACL-NAT interface GigabitEthernet0/0 overload
ACL-NAT - defines traffic from 10.0.0.0/8
ip nat inside source list ACL-POLICY-NAT pool other_company_pool overload

5) Run show crypto session and VPN status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 8.9.16.24 port 500
IPSEC FLOW: permit ip 100.10.0.0 0.255.255.255 10.30.49.57 0.0.0.255
Active SAs: 0, origin: crypto map

Interface: Tunnel0 ### VPN to the branch office
Session status: UP-ACTIVE
Peer: ***.***.***.*** port 500
IKE SA: local ***.***.***.***/500 remote ***.***.***.***/500 Active
IPSEC FLOW: permit 47 host 19.20.9.9 host ***.***.***.***
Active SAs: 2, origin: crypto map

------------------------------------------------
Please help.

Regards

Tri
 
Upvote 0 Downvote
Hello

Please someone can help
Thanks

Regards
Tri
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
150
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
213
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
180
bdk76
bdk76
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
126
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
155
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top