Announcement

Collapse
No announcement yet.

Cisco 2811 Configured for Site-toSite VPN and Internet Access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 2811 Configured for Site-toSite VPN and Internet Access

    I have a site-to-site VPN tunnel over the internet between a Cisco PIX 525 and a Cisco 2811 Series router. I have this router configured to allow network traffic between my HQ and my DR site. This works flawlessly.

    The issue I am facing is that since the servers at the DR site are communication with my LAN I cannot get them to access the internet. If I try to create any type of config which will allow internet connectivity (DNS, web browsing) from my DR servers I loss access to them over the VPN from the HQ side.

  • #2
    Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

    What routing rules have you got setup. It may be the case of ensuring a routing rule is setup for the LAN subnet to the appropriate connection and another for all other traffic 0.0.0.0 to the internet Gateway.

    Comment


    • #3
      Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

      Here's the config of the 2811. I ommitted IP info for the obvious reasons.



      no aaa new-model
      !
      resource policy
      !
      clock timezone Pacific -8
      clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
      !
      !
      ip cef
      !
      !
      ip name-server 205.214.51.16
      ip name-server 205.214.45.10
      ip name-server 205.214.45.100
      !
      !
      voice-card 0
      no dspfarm
      !
      !
      !
      !
      !
      !
      crypto pki trustpoint TP-self-signed-3576853475
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-3576853475
      revocation-check none
      rsakeypair TP-self-signed-3576853475
      !
      !
      username supervisor privilege 15 password 0 XXXXXXXXXX
      !
      !
      !
      crypto isakmp policy 1
      encr 3des
      authentication pre-share
      group 2
      !
      crypto isakmp policy 2
      encr 3des
      hash md5
      authentication pre-share
      group 2
      crypto isakmp key XXXXXXXXX address x.x.x.206
      !
      !
      crypto ipsec transform-set NIP esp-3des esp-md5-hmac
      !
      crypto map DRtoNIP 10 ipsec-isakmp
      set peer x.x.x.206
      set transform-set NIP
      match address 100
      !
      !
      !
      !
      interface FastEthernet0/0
      description Connection to the LAN$ETH-LAN$
      ip address 10.202.1.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      duplex auto
      speed auto
      no mop enabled
      !
      interface FastEthernet0/1
      description Connection to the HQ$ETH-WAN$
      ip address 208.x.x.x 255.255.255.224
      ip nat outside
      ip virtual-reassembly
      duplex auto
      speed auto
      crypto map DRtoNIP
      !
      interface Serial0/0/0
      no ip address
      shutdown
      no fair-queue
      !
      ip route 0.0.0.0 0.0.0.0 208.x.x.x
      ip route 10.200.1.0 255.255.255.128 x.x.x.205
      ip route 10.200.2.0 255.255.255.128 x.x.x.205
      ip route 10.200.3.0 255.255.255.128 x.x.x.205
      ip route 10.200.4.0 255.255.255.128 x.x.x.205
      ip route 10.200.5.0 255.255.255.128 x.x.x.205
      ip route 172.16.4.0 255.255.252.0 x.x.x.205
      ip route 172.17.4.0 255.255.252.0 x.x.x.205
      !
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip nat pool DRWEB 208.x.x.172 208.x.x.172 netmask 255.255.255.224
      ip nat pool DRTS 208.x.x.173 208.x.x.173 netmask 255.255.255.224
      ip nat inside source list 102 pool DRWEB
      ip nat inside source list 103 pool DRTS
      ip nat inside source static tcp 10.202.1.30 25 208.xxx.xx.171 25 extendable
      ip nat inside source static tcp 10.202.1.30 80 208.xxx.xxx.171 80 extendable
      ip nat inside source static tcp 10.202.1.30 443 208.xxx.xxx.171 443 extendable
      ip nat inside source static tcp 10.202.1.32 80 208.x.x.172 80 extendable
      ip nat inside source static tcp 10.202.1.32 443 208.x.x.172 443 extendable
      ip nat inside source static tcp 10.202.1.31 80 208.x.x.173 80 extendable
      ip nat inside source static tcp 10.202.1.31 443 208.x.x.173 443 extendable
      ip nat inside source static tcp 10.202.1.31 3389 208.x.x.173 3389 extendable
      !
      access-list 100 permit ip 10.202.1.0 0.0.0.255 172.16.4.0 0.0.3.255
      access-list 100 permit ip 10.202.1.0 0.0.0.255 10.200.4.0 0.0.0.127
      access-list 100 remark SDM_ACL Category=4
      access-list 100 remark IPSec Rule
      access-list 100 permit ip 10.202.1.0 0.0.0.255 10.200.1.0 0.0.0.127
      access-list 100 permit ip 10.202.1.0 0.0.0.255 10.200.2.0 0.0.0.127
      access-list 100 permit ip 10.202.1.0 0.0.0.255 10.200.3.0 0.0.0.127
      access-list 100 permit ip 10.202.1.0 0.0.0.255 10.200.5.0 0.0.0.127
      access-list 100 permit ip 10.202.1.0 0.0.0.255 172.17.4.0 0.0.3.255
      access-list 102 permit tcp host 10.202.1.32 any eq www
      access-list 102 permit tcp any host 10.202.1.32 eq www
      access-list 102 permit tcp host 10.202.1.32 any eq 443
      access-list 102 permit tcp any host 10.202.1.32 eq 443
      access-list 102 permit tcp host 10.202.1.32 any eq smtp
      access-list 103 permit udp host 10.202.1.31 any eq domain
      access-list 103 permit udp any host 10.202.1.31 eq domain
      access-list 103 permit tcp host 10.202.1.31 any eq 443
      access-list 103 permit tcp any host 10.202.1.31 eq 443
      access-list 103 permit tcp host 10.202.1.31 any eq www
      access-list 103 permit tcp any host 10.202.1.31 eq www
      access-list 103 permit udp host 10.202.1.31 any eq 3389
      access-list 103 permit udp any host 10.202.1.31 eq 3389
      !
      !
      !
      !
      control-plane
      !
      !
      !
      !
      !
      !
      !
      !
      line con 0
      line aux 0
      line vty 0 4
      privilege level 15
      password xxxxxxxxxxxxxx
      login local
      transport input telnet ssh
      !
      scheduler allocate 20000 1000
      !
      end
      Last edited by gemack; 24th February 2009, 17:20.

      Comment


      • #4
        Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

        I am basing my reply on the following understanding of your post:

        1) You have tested the defined NAT pools and they are working correctly.
        2) The two servers at DR site now have internet access using the specified public IPs configured in NAT pool using ACL's 102 and 103 via the ISP connection at DR site.
        3) Static mapinng configuration is working
        4) Once you enable the NAT pools, you lose connection back to NIP via tunnel.

        If thats the case, then I "think" you may be running into a simple NAT exclusion configuration issue.

        Try this: Using ACL 100 as reference (interesting traffic for crypto map), add each line of ACL 100 to ACLs 102 and 103, but reverse the logic (deny) . By doing so, the router will no longer NAT traffic to the NIP network addreses and then send the packet to the tunnel with the same source address to be encrypted.

        Example:

        Code:
        access-list 102 remark DO NOT NAT TO INTERNET
        access-list 102 deny ip 10.202.1.0 0.0.0.255 172.16.4.0 0.0.3.255
        access-list 102 deny ip 10.202.1.0 0.0.0.255 10.200.4.0 0.0.0.127
        access-list 102 deny ip 10.202.1.0 0.0.0.255 10.200.1.0 0.0.0.127
        access-list 102 deny ip 10.202.1.0 0.0.0.255 10.200.2.0 0.0.0.127
        access-list 102 deny ip 10.202.1.0 0.0.0.255 10.200.3.0 0.0.0.127
        access-list 102 deny ip 10.202.1.0 0.0.0.255 10.200.5.0 0.0.0.127
        access-list 102 deny ip 10.202.1.0 0.0.0.255 172.17.4.0 0.0.3.255
        access-list 102 remark NAT TO INTERNET
        access-list 102 permit tcp host 10.202.1.32 any eq www
        access-list 102 permit tcp any host 10.202.1.32 eq www
        access-list 102 permit tcp host 10.202.1.32 any eq 443
        access-list 102 permit tcp any host 10.202.1.32 eq 443
        access-list 102 permit tcp host 10.202.1.32 any eq smtp
         
        access-list 103 remark DO NOT NAT TO INTERNET
        access-list 103 deny ip 10.202.1.0 0.0.0.255 172.16.4.0 0.0.3.255
        access-list 103 deny ip 10.202.1.0 0.0.0.255 10.200.4.0 0.0.0.127
        access-list 103 deny ip 10.202.1.0 0.0.0.255 10.200.1.0 0.0.0.127
        access-list 103 deny ip 10.202.1.0 0.0.0.255 10.200.2.0 0.0.0.127
        access-list 103 deny ip 10.202.1.0 0.0.0.255 10.200.3.0 0.0.0.127
        access-list 103 deny ip 10.202.1.0 0.0.0.255 10.200.5.0 0.0.0.127
        access-list 103 deny ip 10.202.1.0 0.0.0.255 172.17.4.0 0.0.3.255
        access-list 103 remark NAT TO INTERNET
        access-list 103 permit udp host 10.202.1.31 any eq domain
        access-list 103 permit udp any host 10.202.1.31 eq domain
        access-list 103 permit tcp host 10.202.1.31 any eq 443
        access-list 103 permit tcp any host 10.202.1.31 eq 443
        access-list 103 permit tcp host 10.202.1.31 any eq www
        access-list 103 permit tcp any host 10.202.1.31 eq www
        access-list 103 permit udp host 10.202.1.31 any eq 3389
        access-list 103 permit udp any host 10.202.1.31 eq 3389
        Also, the PIX configuration needs the same NAT exclusion logic (nat 0)

        Comment


        • #5
          Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

          Thanks, scowles. I will give this a try. What you are saying makes some sense to me and I hope you are right. I will let you know how these changes go.

          Comment


          • #6
            Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

            scowles, the changes did not produce the desired results. Everytime I use one of the allowed services over the internet I immediately loose access to the server over the VPN and the server is unable to ping other local hosts.

            I have to run "clear ip nat trans *" to clear the symptoms which leads me to believe that i am dealing with a NAT issue.

            Comment


            • #7
              Re: Cisco 2811 Configured for Site-toSite VPN and Internet Access

              scowles, the changes did not produce the desired results.

              It did solve the issue with the allowed services (3389, 80, etc)not affecting VPN traversal.

              I tried to add port 53 the the mix to allow DNS to and from the web but this caused the lose of access to the server over the VPN and the server is unable to ping other local hosts.

              I entered the following in addition to your recommendations:
              !
              access-list 103 deny udp 10.202.1.31 172.17.x.0 0.0.3.254 eq domain
              access-list 103 deny udp 10.202.1.31 172.16.x.0 0.0.3.254 eq domain
              access-list 103 permit udp any host 10.202.1.31 eq domain
              access-list 103 permit udp host 10.202.1.31 any eq domain
              !
              I have to run "clear ip nat trans *" to clear the symptoms which leads me to believe that i am dealing with a NAT issue.
              Last edited by gemack; 23rd February 2009, 18:29.

              Comment

              Working...
              X