f



Cisco 877 NAT and site-site VPN

Hello,

Can you NAT a site-to-site VPN?

I have a Cisco 877 which I have been using for internet access. My 
internal network 10.10.10.0/24 is hidden behind the router's static 
external IP address using NAT.

Now I am trying to set up a VPN to another company, Their firewall is 
199.99.99.99. Within their network I need to access computers in subnet 
177.77.77.0/24

I set up the VPN using Cisco Security Device Manager (SDM) - This 
changed my NAT rule to use route-map so that the NAT and VPN would not 
conflict, This means that my internal addresses are not hidden from the 
other end of the VPN, they see 10.10.10.x as the source address

   ip nat inside source list 1 interface Dialer0 overload
became
   ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
   route map SDM_RMAP_1 permit 1
     match ip address 103
   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
   access-list 103 permit ip 10.10.10.0 0.0.0.255 any

However the other company cannot route my 10.10.10.x address within 
their internal networks because it conflicts with addresses they are using.

I tried deleting
   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
in the hope that this would cause it to NAT my traffic inside the VPN 
but it didn't seem to help.

Can I amend my configuration so that my internal addresses are 
translated to something they can use? Can I reinstate NAT for the VPN 
somehow so that the other end sees my traffic as having the IOP-address 
of the external interface of my router?






Partial config follows

!
crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp key zzzzzzzzzzz address 199.99.99.99
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
  set peer 199.99.99.99
  set transform-set ESP-3DES-SHA
  match address 102
!
interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  no atm ilmi-keepalive
  dsl operating-mode auto
!
interface ATM0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  pvc 0/38
   encapsulation aal5mux ppp dialer
   dialer pool-member 1
  !
!
interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 10.10.10.254 255.255.255.0
  ip access-group 100 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip route-cache flow
  ip tcp adjust-mss 1452
!
interface Dialer0
  ip address negotiated
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip route-cache flow
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname xxxxxxxxxxxxx
  ppp chap password 7 xxxxxxxxxxxxxx
  crypto map SDM_CMAP_1
!
ip local pool vpn-pool 10.10.10.60 10.10.10.69
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp
access-list 101 permit udp host 199.99.99.99 any eq isakmp
access-list 101 permit esp host 199.99.99.99 any
access-list 101 permit ahp host 199.99.99.99 any
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny   ip 10.10.10.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 106 permit tcp any any eq 22
access-list 106 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
  match ip address 103
!
!
end
0
scobloke2 (557)
6/22/2007 1:41:28 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

6 Replies
689 Views

Similar Articles

[PageSpeed] 9

Ian,

As I understand here, you are Natting all your 10.10.10.0/24 network
to the Dialer0 address.

If your IPSec tunnel source is this Dialer0 address, your NATted
address used by internal LAN should be different.

That is, you have to choose another NAT IP for your LAN.

Imagine what happens in the scenario you described. The IPSec tunnel
peer addresses are: Dialer0 interface from your side and 199.99.99.99
in the other end. If your 10.10.10.0/24 is translated to the same
address as Dialer0, the 199.99.99.99 would understand any of your LAN
host as an IPSec peer. That's why it conflicts.

So you'll have to find an address that does not conflict with the
other company and use it as your NAT address.

Regards,
Adriano Prado

On Jun 22, 10:41 am, Ian Wilson <scoblo...@infotop.co.uk> wrote:
> Hello,
>
> Can you NAT a site-to-site VPN?
>
> I have a Cisco 877 which I have been using for internet access. My
> internal network 10.10.10.0/24 is hidden behind the router's static
> external IP address using NAT.
>
> Now I am trying to set up a VPN to another company, Their firewall is
> 199.99.99.99. Within their network I need to access computers in subnet
> 177.77.77.0/24
>
> I set up the VPN using Cisco Security Device Manager (SDM) - This
> changed my NAT rule to use route-map so that the NAT and VPN would not
> conflict, This means that my internal addresses are not hidden from the
> other end of the VPN, they see 10.10.10.x as the source address
>
>    ip nat inside source list 1 interface Dialer0 overload
> became
>    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>    route map SDM_RMAP_1 permit 1
>      match ip address 103
>    access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>    access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>
> However the other company cannot route my 10.10.10.x address within
> their internal networks because it conflicts with addresses they are using.
>
> I tried deleting
>    access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> in the hope that this would cause it to NAT my traffic inside the VPN
> but it didn't seem to help.
>
> Can I amend my configuration so that my internal addresses are
> translated to something they can use? Can I reinstate NAT for the VPN
> somehow so that the other end sees my traffic as having the IOP-address
> of the external interface of my router?
>
> Partial config follows
>
> !
> crypto isakmp policy 1
>   encr 3des
>   authentication pre-share
>   group 2
> crypto isakmp key zzzzzzzzzzz address 199.99.99.99
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto map SDM_CMAP_1 1 ipsec-isakmp
>   set peer 199.99.99.99
>   set transform-set ESP-3DES-SHA
>   match address 102
> !
> interface ATM0
>   no ip address
>   no ip redirects
>   no ip unreachables
>   no ip proxy-arp
>   ip route-cache flow
>   no atm ilmi-keepalive
>   dsl operating-mode auto
> !
> interface ATM0.1 point-to-point
>   description $ES_WAN$$FW_OUTSIDE$
>   pvc 0/38
>    encapsulation aal5mux ppp dialer
>    dialer pool-member 1
>   !
> !
> interface Vlan1
>   description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
>   ip address 10.10.10.254 255.255.255.0
>   ip access-group 100 in
>   no ip redirects
>   no ip unreachables
>   no ip proxy-arp
>   ip nat inside
>   ip virtual-reassembly
>   ip route-cache flow
>   ip tcp adjust-mss 1452
> !
> interface Dialer0
>   ip address negotiated
>   ip access-group 101 in
>   no ip redirects
>   no ip unreachables
>   no ip proxy-arp
>   ip nat outside
>   ip virtual-reassembly
>   encapsulation ppp
>   ip route-cache flow
>   dialer pool 1
>   dialer-group 1
>   no cdp enable
>   ppp authentication chap callin
>   ppp chap hostname xxxxxxxxxxxxx
>   ppp chap password 7 xxxxxxxxxxxxxx
>   crypto map SDM_CMAP_1
> !
> ip local pool vpn-pool 10.10.10.60 10.10.10.69
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> !
> ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
> ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317
> !
> logging trap debugging
> access-list 1 remark INSIDE_IF=Vlan1
> access-list 1 remark SDM_ACL Category=2
> access-list 1 permit 10.10.10.0 0.0.0.255
> access-list 100 remark SDM_ACL Category=1
> access-list 100 deny   ip host 255.255.255.255 any
> access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
> access-list 100 permit ip any any
> access-list 101 remark SDM_ACL Category=17
> access-list 101 remark IPSec Rule
> access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255
> access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp
> access-list 101 permit udp host 199.99.99.99 any eq isakmp
> access-list 101 permit esp host 199.99.99.99 any
> access-list 101 permit ahp host 199.99.99.99 any
> access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 permit esp any any
> access-list 101 permit udp any any eq isakmp
> access-list 101 permit tcp any any eq 1723
> access-list 101 permit gre any any
> access-list 101 deny   ip 10.10.10.0 0.255.255.255 any
> access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny   ip host 255.255.255.255 any
> access-list 101 deny   ip host 0.0.0.0 any
> access-list 101 deny   ip any any
> access-list 102 remark SDM_ACL Category=4
> access-list 102 remark IPSec Rule
> access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> access-list 103 remark SDM_ACL Category=2
> access-list 103 remark IPSec Rule
> access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> access-list 103 permit ip 10.10.10.0 0.0.0.255 any
> access-list 106 permit ip 10.10.10.0 0.0.0.255 any
> access-list 106 permit tcp any any eq 22
> access-list 106 deny   ip any any
> dialer-list 1 protocol ip permit
> no cdp run
> route-map SDM_RMAP_1 permit 1
>   match ip address 103
> !
> !
> end


0
Adriano
6/22/2007 7:10:54 PM
Adriano Prado wrote:
> Ian,
> 
> As I understand here, you are Natting all your 10.10.10.0/24 network
> to the Dialer0 address.

Yes, Dialer0 is an ADSL interface, it's IP-address is a single static 
IP-address allocated by my ISP.


> If your IPSec tunnel source is this Dialer0 address, your NATted
> address used by internal LAN should be different.

Does that mean I need to have *two* public static IP addresses assigned 
to my ADSL interface?

> That is, you have to choose another NAT IP for your LAN.

Can the LAN have one NAT IP for traffic destined for the Internet and a 
different NAT IP for traffic to 177.77.77.0 (which is routed into the 
VPN tunnel)?

If so, could the second NAT IP be any arbitrary IP address that I and 
the other end agree on? (e.g. 192.168.99.99)

> Imagine what happens in the scenario you described. The IPSec tunnel
> peer addresses are: Dialer0 interface from your side and 199.99.99.99
> in the other end. If your 10.10.10.0/24 is translated to the same
> address as Dialer0, the 199.99.99.99 would understand any of your LAN
> host as an IPSec peer. That's why it conflicts.
> 
> So you'll have to find an address that does not conflict with the
> other company and use it as your NAT address.

Is there some Cisco documentation that I should read or does anyone have 
an example configuration that illustrates this?

> 
> On Jun 22, 10:41 am, Ian Wilson <scoblo...@infotop.co.uk> wrote:
> 
>>Hello,
>>
>>Can you NAT a site-to-site VPN?
>>
>>I have a Cisco 877 which I have been using for internet access. My
>>internal network 10.10.10.0/24 is hidden behind the router's static
>>external IP address using NAT.
>>
>>Now I am trying to set up a VPN to another company, Their firewall is
>>199.99.99.99. Within their network I need to access computers in subnet
>>177.77.77.0/24
>>
>>I set up the VPN using Cisco Security Device Manager (SDM) - This
>>changed my NAT rule to use route-map so that the NAT and VPN would not
>>conflict, This means that my internal addresses are not hidden from the
>>other end of the VPN, they see 10.10.10.x as the source address
>>
>>   ip nat inside source list 1 interface Dialer0 overload
>>became
>>   ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>>   route map SDM_RMAP_1 permit 1
>>     match ip address 103
>>   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>   access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>>
>>However the other company cannot route my 10.10.10.x address within
>>their internal networks because it conflicts with addresses they are using.
>>
>>I tried deleting
>>   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>in the hope that this would cause it to NAT my traffic inside the VPN
>>but it didn't seem to help.
>>
>>Can I amend my configuration so that my internal addresses are
>>translated to something they can use? Can I reinstate NAT for the VPN
>>somehow so that the other end sees my traffic as having the IOP-address
>>of the external interface of my router?
>>
>>Partial config follows
>>
>>!
>>crypto isakmp policy 1
>>  encr 3des
>>  authentication pre-share
>>  group 2
>>crypto isakmp key zzzzzzzzzzz address 199.99.99.99
>>!
>>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>>!
>>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>  set peer 199.99.99.99
>>  set transform-set ESP-3DES-SHA
>>  match address 102
>>!
>>interface ATM0
>>  no ip address
>>  no ip redirects
>>  no ip unreachables
>>  no ip proxy-arp
>>  ip route-cache flow
>>  no atm ilmi-keepalive
>>  dsl operating-mode auto
>>!
>>interface ATM0.1 point-to-point
>>  description $ES_WAN$$FW_OUTSIDE$
>>  pvc 0/38
>>   encapsulation aal5mux ppp dialer
>>   dialer pool-member 1
>>  !
>>!
>>interface Vlan1
>>  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
>>  ip address 10.10.10.254 255.255.255.0
>>  ip access-group 100 in
>>  no ip redirects
>>  no ip unreachables
>>  no ip proxy-arp
>>  ip nat inside
>>  ip virtual-reassembly
>>  ip route-cache flow
>>  ip tcp adjust-mss 1452
>>!
>>interface Dialer0
>>  ip address negotiated
>>  ip access-group 101 in
>>  no ip redirects
>>  no ip unreachables
>>  no ip proxy-arp
>>  ip nat outside
>>  ip virtual-reassembly
>>  encapsulation ppp
>>  ip route-cache flow
>>  dialer pool 1
>>  dialer-group 1
>>  no cdp enable
>>  ppp authentication chap callin
>>  ppp chap hostname xxxxxxxxxxxxx
>>  ppp chap password 7 xxxxxxxxxxxxxx
>>  crypto map SDM_CMAP_1
>>!
>>ip local pool vpn-pool 10.10.10.60 10.10.10.69
>>ip classless
>>ip route 0.0.0.0 0.0.0.0 Dialer0
>>!
>>ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>>ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317
>>!
>>logging trap debugging
>>access-list 1 remark INSIDE_IF=Vlan1
>>access-list 1 remark SDM_ACL Category=2
>>access-list 1 permit 10.10.10.0 0.0.0.255
>>access-list 100 remark SDM_ACL Category=1
>>access-list 100 deny   ip host 255.255.255.255 any
>>access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
>>access-list 100 permit ip any any
>>access-list 101 remark SDM_ACL Category=17
>>access-list 101 remark IPSec Rule
>>access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255
>>access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp
>>access-list 101 permit udp host 199.99.99.99 any eq isakmp
>>access-list 101 permit esp host 199.99.99.99 any
>>access-list 101 permit ahp host 199.99.99.99 any
>>access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
>>access-list 101 permit icmp any any echo-reply
>>access-list 101 permit icmp any any time-exceeded
>>access-list 101 permit icmp any any unreachable
>>access-list 101 permit esp any any
>>access-list 101 permit udp any any eq isakmp
>>access-list 101 permit tcp any any eq 1723
>>access-list 101 permit gre any any
>>access-list 101 deny   ip 10.10.10.0 0.255.255.255 any
>>access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
>>access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
>>access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
>>access-list 101 deny   ip host 255.255.255.255 any
>>access-list 101 deny   ip host 0.0.0.0 any
>>access-list 101 deny   ip any any
>>access-list 102 remark SDM_ACL Category=4
>>access-list 102 remark IPSec Rule
>>access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>access-list 103 remark SDM_ACL Category=2
>>access-list 103 remark IPSec Rule
>>access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>>access-list 106 permit ip 10.10.10.0 0.0.0.255 any
>>access-list 106 permit tcp any any eq 22
>>access-list 106 deny   ip any any
>>dialer-list 1 protocol ip permit
>>no cdp run
>>route-map SDM_RMAP_1 permit 1
>>  match ip address 103
>>!
>>!
>>end
> 
> 
> 
0
Ian
6/25/2007 10:24:31 AM
Ian,

You don't need a second public IP. You can use the current public IP
provided by your ISP to connect to internet and ask this company to
provide a private address to you that does not conflict with theirs.

Here follows an example but read more in cisco site (http://
www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f73.shtml):

access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
  match ip address 103
!
!
access-list 104 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
access-list 104 deny ip any any
!
route-map SDM_RMAP_2 permit 1
  match ip address 104
!
!
ip nat pool PRIVATEPOOL 192.168.99.99 192.168.99.99 netmask
255.255.255.0
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 pool PRIVATEPOOL overload
!


This will NAT your LAN to Dialer0 address to access internet (ACL 103)
and ACL 104 will translate access from 10.10.10.0/25 to 177.77.77.0/24
using NATted address supplied in pool PRIVATEPOOL (192.168.99.99).

I think that it's what you're looking for...

And be aware that if you add this configs manually maybe SDM won't
understand it and mess it up.

Regards,
Adriano


On 25 jun, 07:24, Ian Wilson <scoblo...@infotop.co.uk> wrote:
> Adriano Prado wrote:
> > Ian,
>
> > As I understand here, you are Natting all your 10.10.10.0/24 network
> > to the Dialer0 address.
>
> Yes, Dialer0 is an ADSL interface, it's IP-address is a single static
> IP-address allocated by my ISP.
>
> > If your IPSec tunnel source is this Dialer0 address, your NATted
> > address used by internal LAN should be different.
>
> Does that mean I need to have *two* public static IP addresses assigned
> to my ADSL interface?
>
> > That is, you have to choose another NAT IP for your LAN.
>
> Can the LAN have one NAT IP for traffic destined for the Internet and a
> different NAT IP for traffic to 177.77.77.0 (which is routed into the
> VPN tunnel)?
>
> If so, could the second NAT IP be any arbitrary IP address that I and
> the other end agree on? (e.g. 192.168.99.99)
>
> > Imagine what happens in the scenario you described. The IPSec tunnel
> > peer addresses are: Dialer0 interface from your side and 199.99.99.99
> > in the other end. If your 10.10.10.0/24 is translated to the same
> > address as Dialer0, the 199.99.99.99 would understand any of your LAN
> > host as an IPSec peer. That's why it conflicts.
>
> > So you'll have to find an address that does not conflict with the
> > other company and use it as your NAT address.
>
> Is there some Cisco documentation that I should read or does anyone have
> an example configuration that illustrates this?
>
>
>
>
>
> > On Jun 22, 10:41 am, Ian Wilson <scoblo...@infotop.co.uk> wrote:
>
> >>Hello,
>
> >>Can you NAT a site-to-site VPN?
>
> >>I have a Cisco 877 which I have been using for internet access. My
> >>internal network 10.10.10.0/24 is hidden behind the router's static
> >>external IP address using NAT.
>
> >>Now I am trying to set up a VPN to another company, Their firewall is
> >>199.99.99.99. Within their network I need to access computers in subnet
> >>177.77.77.0/24
>
> >>I set up the VPN using Cisco Security Device Manager (SDM) - This
> >>changed my NAT rule to use route-map so that the NAT and VPN would not
> >>conflict, This means that my internal addresses are not hidden from the
> >>other end of the VPN, they see 10.10.10.x as the source address
>
> >>   ip nat inside source list 1 interface Dialer0 overload
> >>became
> >>   ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
> >>   route map SDM_RMAP_1 permit 1
> >>     match ip address 103
> >>   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> >>   access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>
> >>However the other company cannot route my 10.10.10.x address within
> >>their internal networks because it conflicts with addresses they are using.
>
> >>I tried deleting
> >>   access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> >>in the hope that this would cause it to NAT my traffic inside the VPN
> >>but it didn't seem to help.
>
> >>Can I amend my configuration so that my internal addresses are
> >>translated to something they can use? Can I reinstate NAT for the VPN
> >>somehow so that the other end sees my traffic as having the IOP-address
> >>of the external interface of my router?
>
> >>Partial config follows
>
> >>!
> >>crypto isakmp policy 1
> >>  encr 3des
> >>  authentication pre-share
> >>  group 2
> >>crypto isakmp key zzzzzzzzzzz address 199.99.99.99
> >>!
> >>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> >>!
> >>crypto map SDM_CMAP_1 1 ipsec-isakmp
> >>  set peer 199.99.99.99
> >>  set transform-set ESP-3DES-SHA
> >>  match address 102
> >>!
> >>interface ATM0
> >>  no ip address
> >>  no ip redirects
> >>  no ip unreachables
> >>  no ip proxy-arp
> >>  ip route-cache flow
> >>  no atm ilmi-keepalive
> >>  dsl operating-mode auto
> >>!
> >>interface ATM0.1 point-to-point
> >>  description $ES_WAN$$FW_OUTSIDE$
> >>  pvc 0/38
> >>   encapsulation aal5mux ppp dialer
> >>   dialer pool-member 1
> >>  !
> >>!
> >>interface Vlan1
> >>  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
> >>  ip address 10.10.10.254 255.255.255.0
> >>  ip access-group 100 in
> >>  no ip redirects
> >>  no ip unreachables
> >>  no ip proxy-arp
> >>  ip nat inside
> >>  ip virtual-reassembly
> >>  ip route-cache flow
> >>  ip tcp adjust-mss 1452
> >>!
> >>interface Dialer0
> >>  ip address negotiated
> >>  ip access-group 101 in
> >>  no ip redirects
> >>  no ip unreachables
> >>  no ip proxy-arp
> >>  ip nat outside
> >>  ip virtual-reassembly
> >>  encapsulation ppp
> >>  ip route-cache flow
> >>  dialer pool 1
> >>  dialer-group 1
> >>  no cdp enable
> >>  ppp authentication chap callin
> >>  ppp chap hostname xxxxxxxxxxxxx
> >>  ppp chap password 7 xxxxxxxxxxxxxx
> >>  crypto map SDM_CMAP_1
> >>!
> >>ip local pool vpn-pool 10.10.10.60 10.10.10.69
> >>ip classless
> >>ip route 0.0.0.0 0.0.0.0 Dialer0
> >>!
> >>ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
> >>ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317
> >>!
> >>logging trap debugging
> >>access-list 1 remark INSIDE_IF=Vlan1
> >>access-list 1 remark SDM_ACL Category=2
> >>access-list 1 permit 10.10.10.0 0.0.0.255
> >>access-list 100 remark SDM_ACL Category=1
> >>access-list 100 deny   ip host 255.255.255.255 any
> >>access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
> >>access-list 100 permit ip any any
> >>access-list 101 remark SDM_ACL Category=17
> >>access-list 101 remark IPSec Rule
> >>access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255
> >>access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp
> >>access-list 101 permit udp host 199.99.99.99 any eq isakmp
> >>access-list 101 permit esp host 199.99.99.99 any
> >>access-list 101 permit ahp host 199.99.99.99 any
> >>access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
> >>access-list 101 permit icmp any any echo-reply
> >>access-list 101 permit icmp any any time-exceeded
> >>access-list 101 permit icmp any any unreachable
> >>access-list 101 permit esp any any
> >>access-list 101 permit udp any any eq isakmp
> >>access-list 101 permit tcp any any eq 1723
> >>access-list 101 permit gre any any
> >>access-list 101 deny   ip 10.10.10.0 0.255.255.255 any
> >>access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
> >>access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
> >>access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
> >>access-list 101 deny   ip host 255.255.255.255 any
> >>access-list 101 deny   ip host 0.0.0.0 any
> >>access-list 101 deny   ip any any
> >>access-list 102 remark SDM_ACL Category=4
> >>access-list 102 remark IPSec Rule
> >>access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> >>access-list 103 remark SDM_ACL Category=2
> >>access-list 103 remark IPSec Rule
> >>access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> >>access-list 103 permit ip 10.10.10.0 0.0.0.255 any
> >>access-list 106 permit ip 10.10.10.0 0.0.0.255 any
> >>access-list 106 permit tcp any any eq 22
> >>access-list 106 deny   ip any any
> >>dialer-list 1 protocol ip permit
> >>no cdp run
> >>route-map SDM_RMAP_1 permit 1
> >>  match ip address 103
> >>!
> >>!
> >>end- Ocultar texto entre aspas -
>
> - Mostrar texto entre aspas -


0
Adriano
6/26/2007 2:40:02 PM
Adriano Prado wrote:
> Ian,
> 
> You don't need a second public IP. You can use the current public IP
> provided by your ISP to connect to internet and ask this company to
> provide a private address to you that does not conflict with theirs.

OK.

> Here follows an example but read more in cisco site (http://
> www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f73.shtml):
> 
> access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> access-list 103 permit ip 10.10.10.0 0.0.0.255 any
> !
> route-map SDM_RMAP_1 permit 1
>   match ip address 103
> !
> !
> access-list 104 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
> access-list 104 deny ip any any
> !
> route-map SDM_RMAP_2 permit 1
>   match ip address 104
> !
> !
> ip nat pool PRIVATEPOOL 192.168.99.99 192.168.99.99 netmask
> 255.255.255.0
> !
> ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
> ip nat inside source route-map SDM_RMAP_2 pool PRIVATEPOOL overload
> !
> 
> 
> This will NAT your LAN to Dialer0 address to access internet (ACL 103)
> and ACL 104 will translate access from 10.10.10.0/25 to 177.77.77.0/24
> using NATted address supplied in pool PRIVATEPOOL (192.168.99.99).
> 
> I think that it's what you're looking for...

Yes! Many thanks.


> 
> And be aware that if you add this configs manually maybe SDM won't
> understand it and mess it up.

My method of using SDM is as follows:

   Save config to nearby TFTP server as SDM-config.1
   Use SDM to make some changes
   Save config to nearby TFTP server as SDM-config.2
   Use `diff` to find the differences
   Hand edit my heavily commented Router-config file
     (which I keep under version control)
   Use TFTP to load and test the revised config.

In this way I try to understand what SDM is doing, and avoid becoming 
dependant on SDM. To apply your suggestions I'll just skip the first 
four steps, carefully edit my Router-config, then upload and test it.

Many thanks.

-- 
Ian.



> 
> 
> On 25 jun, 07:24, Ian Wilson <scoblo...@infotop.co.uk> wrote:
> 
>>Adriano Prado wrote:
>>
>>>Ian,
>>
>>>As I understand here, you are Natting all your 10.10.10.0/24 network
>>>to the Dialer0 address.
>>
>>Yes, Dialer0 is an ADSL interface, it's IP-address is a single static
>>IP-address allocated by my ISP.
>>
>>
>>>If your IPSec tunnel source is this Dialer0 address, your NATted
>>>address used by internal LAN should be different.
>>
>>Does that mean I need to have *two* public static IP addresses assigned
>>to my ADSL interface?
>>
>>
>>>That is, you have to choose another NAT IP for your LAN.
>>
>>Can the LAN have one NAT IP for traffic destined for the Internet and a
>>different NAT IP for traffic to 177.77.77.0 (which is routed into the
>>VPN tunnel)?
>>
>>If so, could the second NAT IP be any arbitrary IP address that I and
>>the other end agree on? (e.g. 192.168.99.99)
>>
>>
>>>Imagine what happens in the scenario you described. The IPSec tunnel
>>>peer addresses are: Dialer0 interface from your side and 199.99.99.99
>>>in the other end. If your 10.10.10.0/24 is translated to the same
>>>address as Dialer0, the 199.99.99.99 would understand any of your LAN
>>>host as an IPSec peer. That's why it conflicts.
>>
>>>So you'll have to find an address that does not conflict with the
>>>other company and use it as your NAT address.
>>
>>Is there some Cisco documentation that I should read or does anyone have
>>an example configuration that illustrates this?
>>
>>
>>
>>
>>
>>
>>>On Jun 22, 10:41 am, Ian Wilson <scoblo...@infotop.co.uk> wrote:
>>
>>>>Hello,
>>
>>>>Can you NAT a site-to-site VPN?
>>
>>>>I have a Cisco 877 which I have been using for internet access. My
>>>>internal network 10.10.10.0/24 is hidden behind the router's static
>>>>external IP address using NAT.
>>
>>>>Now I am trying to set up a VPN to another company, Their firewall is
>>>>199.99.99.99. Within their network I need to access computers in subnet
>>>>177.77.77.0/24
>>
>>>>I set up the VPN using Cisco Security Device Manager (SDM) - This
>>>>changed my NAT rule to use route-map so that the NAT and VPN would not
>>>>conflict, This means that my internal addresses are not hidden from the
>>>>other end of the VPN, they see 10.10.10.x as the source address
>>
>>>>  ip nat inside source list 1 interface Dialer0 overload
>>>>became
>>>>  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>>>>  route map SDM_RMAP_1 permit 1
>>>>    match ip address 103
>>>>  access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>>>  access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>>
>>>>However the other company cannot route my 10.10.10.x address within
>>>>their internal networks because it conflicts with addresses they are using.
>>
>>>>I tried deleting
>>>>  access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>>>in the hope that this would cause it to NAT my traffic inside the VPN
>>>>but it didn't seem to help.
>>
>>>>Can I amend my configuration so that my internal addresses are
>>>>translated to something they can use? Can I reinstate NAT for the VPN
>>>>somehow so that the other end sees my traffic as having the IOP-address
>>>>of the external interface of my router?
>>
>>>>Partial config follows
>>
>>>>!
>>>>crypto isakmp policy 1
>>>> encr 3des
>>>> authentication pre-share
>>>> group 2
>>>>crypto isakmp key zzzzzzzzzzz address 199.99.99.99
>>>>!
>>>>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>>>>!
>>>>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>>> set peer 199.99.99.99
>>>> set transform-set ESP-3DES-SHA
>>>> match address 102
>>>>!
>>>>interface ATM0
>>>> no ip address
>>>> no ip redirects
>>>> no ip unreachables
>>>> no ip proxy-arp
>>>> ip route-cache flow
>>>> no atm ilmi-keepalive
>>>> dsl operating-mode auto
>>>>!
>>>>interface ATM0.1 point-to-point
>>>> description $ES_WAN$$FW_OUTSIDE$
>>>> pvc 0/38
>>>>  encapsulation aal5mux ppp dialer
>>>>  dialer pool-member 1
>>>> !
>>>>!
>>>>interface Vlan1
>>>> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
>>>> ip address 10.10.10.254 255.255.255.0
>>>> ip access-group 100 in
>>>> no ip redirects
>>>> no ip unreachables
>>>> no ip proxy-arp
>>>> ip nat inside
>>>> ip virtual-reassembly
>>>> ip route-cache flow
>>>> ip tcp adjust-mss 1452
>>>>!
>>>>interface Dialer0
>>>> ip address negotiated
>>>> ip access-group 101 in
>>>> no ip redirects
>>>> no ip unreachables
>>>> no ip proxy-arp
>>>> ip nat outside
>>>> ip virtual-reassembly
>>>> encapsulation ppp
>>>> ip route-cache flow
>>>> dialer pool 1
>>>> dialer-group 1
>>>> no cdp enable
>>>> ppp authentication chap callin
>>>> ppp chap hostname xxxxxxxxxxxxx
>>>> ppp chap password 7 xxxxxxxxxxxxxx
>>>> crypto map SDM_CMAP_1
>>>>!
>>>>ip local pool vpn-pool 10.10.10.60 10.10.10.69
>>>>ip classless
>>>>ip route 0.0.0.0 0.0.0.0 Dialer0
>>>>!
>>>>ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>>>>ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317
>>>>!
>>>>logging trap debugging
>>>>access-list 1 remark INSIDE_IF=Vlan1
>>>>access-list 1 remark SDM_ACL Category=2
>>>>access-list 1 permit 10.10.10.0 0.0.0.255
>>>>access-list 100 remark SDM_ACL Category=1
>>>>access-list 100 deny   ip host 255.255.255.255 any
>>>>access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
>>>>access-list 100 permit ip any any
>>>>access-list 101 remark SDM_ACL Category=17
>>>>access-list 101 remark IPSec Rule
>>>>access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255
>>>>access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp
>>>>access-list 101 permit udp host 199.99.99.99 any eq isakmp
>>>>access-list 101 permit esp host 199.99.99.99 any
>>>>access-list 101 permit ahp host 199.99.99.99 any
>>>>access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
>>>>access-list 101 permit icmp any any echo-reply
>>>>access-list 101 permit icmp any any time-exceeded
>>>>access-list 101 permit icmp any any unreachable
>>>>access-list 101 permit esp any any
>>>>access-list 101 permit udp any any eq isakmp
>>>>access-list 101 permit tcp any any eq 1723
>>>>access-list 101 permit gre any any
>>>>access-list 101 deny   ip 10.10.10.0 0.255.255.255 any
>>>>access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
>>>>access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
>>>>access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
>>>>access-list 101 deny   ip host 255.255.255.255 any
>>>>access-list 101 deny   ip host 0.0.0.0 any
>>>>access-list 101 deny   ip any any
>>>>access-list 102 remark SDM_ACL Category=4
>>>>access-list 102 remark IPSec Rule
>>>>access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>>>access-list 103 remark SDM_ACL Category=2
>>>>access-list 103 remark IPSec Rule
>>>>access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>>>access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>>>>access-list 106 permit ip 10.10.10.0 0.0.0.255 any
>>>>access-list 106 permit tcp any any eq 22
>>>>access-list 106 deny   ip any any
>>>>dialer-list 1 protocol ip permit
>>>>no cdp run
>>>>route-map SDM_RMAP_1 permit 1
>>>> match ip address 103
>>>>!
>>>>!
>>>>end- Ocultar texto entre aspas -
>>
>>- Mostrar texto entre aspas -
> 
> 
> 
0
Ian
6/26/2007 4:04:35 PM
Ian Wilson wrote:
> Adriano Prado wrote:
> 
>> You don't need a second public IP. You can use the current public IP
>> provided by your ISP to connect to internet and ask this company to
>> provide a private address to you that does not conflict with theirs.
>> 
>> Here follows an example but read more in cisco site (http://
>> www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f73.shtml): 
>>
>>
>> access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>> access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>> !
>> route-map SDM_RMAP_1 permit 1
>>   match ip address 103
>> !
>> !
>> access-list 104 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>> access-list 104 deny ip any any
>> !
>> route-map SDM_RMAP_2 permit 1
>>   match ip address 104
>> !
>> !
>> ip nat pool PRIVATEPOOL 192.168.99.99 192.168.99.99 netmask
>> 255.255.255.0
>> !
>> ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>> ip nat inside source route-map SDM_RMAP_2 pool PRIVATEPOOL overload
>> !
>>
>>
>> This will NAT your LAN to Dialer0 address to access internet (ACL 103)
>> and ACL 104 will translate access from 10.10.10.0/25 to 177.77.77.0/24
>> using NATted address supplied in pool PRIVATEPOOL (192.168.99.99).
>>
>> I think that it's what you're looking for...
> 
> 
> Yes! Many thanks.
> 
> 

A short followup, in case future Googlers find this thread:

The above didn't work straight away, I reasoned that since the source 
address is now 192.168.99.99 instead of 10.10.10.x, I also had to add 
rules to the other access lists which determine what traffic gets 
encapsulated in the VPN.

e.g. to direct this traffic into the VPN tunnel
   access-list 102 permit ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255

to exclude it from another round of NAT (for public Internet traffic)
   access-list 103 deny ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255

to allow return traffic back in (list 101 sees inside the VPN tunnel?)
   access-list 101 permit ip 177.77.77.0 0.0.0.255 192.168.99.0 0.0.0.255

It's working now and I can't see a security loophole. so I'm leaving the 
configuration as it is. However I'm not sure if all these are necessary. 
  Someone may like to comment.
0
Ian
7/3/2007 1:53:56 PM
I have a site-site VPN tunnel working such that I can telnet from any 
10.10.10.x PC on my LAN to a 177.77.77.77 server on the remote LAN via a 
VPN tunnel. NAT is applied so that the far end sees my source address as 
192.168.99.99.

If I log on to my router, either using the serial console port or by 
SSHing from the Internet, how can I adjust the access lists to allow me 
to telnet from the router to 177.77.77.77?

That is, I am at a router# command prompt in user mode and I want to 
type `telnet 177.77.77.77` and have my telnet session routed through the 
VPN tunnel with my source adrress set to 192.168.99.99 from nat pool 
PRIVATEPOOL.

I assume I need to change my access list 104 so that I get allocated the 
address from the NAT pool PRIVATEPOOL? I can't work out what source 
address to use for this rule

access-list 104 permit ip ?????????? 177.77.77.0 0.0.0.255



Ian Wilson wrote:
> Ian Wilson wrote:
> 
>> Adriano Prado wrote:
>>
>>> You don't need a second public IP. You can use the current public IP
>>> provided by your ISP to connect to internet and ask this company to
>>> provide a private address to you that does not conflict with theirs.
>>>
>>> Here follows an example but read more in cisco site (http://
>>> www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f73.shtml): 
>>>
>>>
>>> access-list 103 deny   ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>> access-list 103 permit ip 10.10.10.0 0.0.0.255 any
>>> !
>>> route-map SDM_RMAP_1 permit 1
>>>   match ip address 103
>>> !
>>> !
>>> access-list 104 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255
>>> access-list 104 deny ip any any
>>> !
>>> route-map SDM_RMAP_2 permit 1
>>>   match ip address 104
>>> !
>>> !
>>> ip nat pool PRIVATEPOOL 192.168.99.99 192.168.99.99 netmask
>>> 255.255.255.0
>>> !
>>> ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
>>> ip nat inside source route-map SDM_RMAP_2 pool PRIVATEPOOL overload
>>> !
>>>
>>>
>>> This will NAT your LAN to Dialer0 address to access internet (ACL 103)
>>> and ACL 104 will translate access from 10.10.10.0/25 to 177.77.77.0/24
>>> using NATted address supplied in pool PRIVATEPOOL (192.168.99.99).
>>>
>>> I think that it's what you're looking for...
>>
>>
>>
>> Yes! Many thanks.
>>
>>
> 
> A short followup, in case future Googlers find this thread:
> 
> The above didn't work straight away, I reasoned that since the source 
> address is now 192.168.99.99 instead of 10.10.10.x, I also had to add 
> rules to the other access lists which determine what traffic gets 
> encapsulated in the VPN.
> 
> e.g. to direct this traffic into the VPN tunnel
>   access-list 102 permit ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255
> 
> to exclude it from another round of NAT (for public Internet traffic)
>   access-list 103 deny ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255
> 
> to allow return traffic back in (list 101 sees inside the VPN tunnel?)
>   access-list 101 permit ip 177.77.77.0 0.0.0.255 192.168.99.0 0.0.0.255
> 
> It's working now and I can't see a security loophole. so I'm leaving the 
> configuration as it is. However I'm not sure if all these are necessary. 
>  Someone may like to comment.
0
Ian
7/5/2007 3:27:01 PM
Reply:

Similar Artilces:

Cisco 1700 Site-Site VPN
Hello, I'm trying to set up a Site to Site VPN with two Cisco 1700 Routers. But I didn't get it to fly. When the tunnel ist setup the routing doesn't work or other things. Here is what I want to do: 192.168.4.0/24 -- RouterA --- INTERNET --- RouterB -- 192.168.6.0/24 Router A and Router B have a static IP. Lets Say IPA and IPB. Here is my config of RouterB. RouterA locks mostly the same except it does Dialup so the interface on the outside is Dialer0. I didn't find the failer. Can someone plz help me out? Router config from Router B ============================ ! version 1...

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted ...

Site to Site VPN routing
I am trying to connect a Cisco 1841 router to a Nortel VPN Router 1010 via a IPSEC VPN tunnel. I actually have the tunnel up and running. My problem is that I cannot figure out how to tell the Cisco Router to route traffic from its private network to the private network on the Nortel Router. The Nortel Router seems to just route traffic to the Cisco Router's public interface and it works. If I put a static route in the Cisco Router to route to the Nortel Router's public interface, I get nothing. Any help would be appreciated. On Sep 21, 1:46 pm, peachma...@yahoo.com wrote: > I...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed ...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed Mohammed Alani wrote: > I have done a simplified step-by-step procedure to do site-to-site > VPN. Please take a look at it and give me your notes. Is it clear and > simple? did I miss something? Yes. You do not give the router models and IOS versions. Change the router or the IOS version and things look different. Gerald On May 2, 12:13 pm, Gerald Vogt <v...@spamcop.net> wrote: > Mohammed Alani wrote: > > I have done a simplified step-by-step procedure to do site-to-site > > VPN. Please take a look at it and give me your notes. Is it clear and > > simple? did I miss something? > > Yes. You do not give the router models and IOS versions. Change the > router or the IOS version and things look different. > > Gerald Thank you for taking the time to look at the article Gerald. Your note is true. The procedure works on SOHO routers and few of the other routers. I will add it. Mohammed ...

How to Configure Site-to-Site VPN in Cisco Routers
Hi all, I have done a simplified step-by-step procedure to do site-to-site VPN. Please take a look at it and give me your notes. Is it clear and simple? did I miss something? How to Configure Site-to-Site VPN in Cisco Routers http://www.routergeek.net/content/view/50/37/ All feedback is welcomed. Regards, Mohammed ...

Cisco ASA 5500 to Router site to site VPN
I'm trying to setup a site to site VPN between a Cisco 3725 and a ASA5505, I am able to create a VPN between the ASA5505 and a PIX515 and the 3725 router and a 2600 router so I'm not sure what I'm missing when it comes to the router/ASA combo. My two configurations are below... ASA5500 : Saved : ASA Version 7.2(4) ! hostname bambam domain-name default.domain.invalid enable password blah encrypted passwd blah encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.31.12.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group ppoe ip address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list outside_2_cryptomap extended ...

Cisco PIX 501-515 Site-to-Site VPN Issue
I'm deferring to the experts in this group to help me solve a nightmare of a PIX configuration issue. I have a PIX 501 located in Connecticut and a PIX 515 located in New York and am trying to put together a site-to-site VPN. The remote access on the 515 works like a charm, but I've been unable to make any headway with the site-to-site. The only way that I've been able to initiate the connection, in fact, is to launch the packet tracer on the 515 to 'send' a packet from an IP on the 515's network to an IP on the 501's. Everything comes back okay, but if I try to ping or connect to any machine on either of the networks from the other one, it doesn't go through, and no useful debugging information seems to be returned. If anyone has any insight into what might be going on, your advice would be tremendously appreciated. I've copied the configurations below and have removed only the clearly-irrelevant parts. PIX 501: Internal IP Range: 10.0.2.0/255.255.255.0 External IP: x.x.123.29 PIX 515: Internal IP Range: 10.0.0.0/255.255.255.0 Remote Access: 10.0.1.0/255.255.255.0 External IP: x.x.23.17 CISCO PIX 501 IN CONNECTICUT PIX Version 6.3(5) access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any any object-group TCP access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255....

Site to Site VPN error on Cisco ASA5500 and router 1800
Hi All, When I configured site to site VPN between Cisco ASA 5500 (outside IP address: 1.2.3.4, inside ip: 192.168.0.50) and 1800 router (outside IP address 5.6.7.8, inside ip: 192.168.46.1), I got the following error and can not establish VPN tunnel: 1. Error on ASA 5500: |11:45:35|713904|||IP = 5.6.7.8, Received encrypted packet with no matching SA, dropping |11:45:35|113019|||Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m: 00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, Removing peer from correlator table failed, no match! |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, QM FSM error (P2 struct &0x97f6d50, mess id 0xba4d2406)! |11:45:35|713904|||Group = 5.6.7.8, IP = 5.6.7.8, All IPSec SA proposals found unacceptable! |11:45:35|713119|||Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED |11:45:35|113009|||AAA retrieved default group policy (LAN-LAN) for user = 5.6.7.8 |11:45:35|713903|||Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes |11:45:35|713172|||Group = 5.6.7.8, IP = 5.6.7.8, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device 2. Debug info on 1800 router: 13:28:50 Local7.Debug 192.168.46.1 2448: 13:28:50 Local7.Debug 192.168.46.1 2447: *Jan 4 18:29:17.255: ISAKMP: (2018):Old State = IKE_DEST_SA New State = IKE_DEST_...

Cisco!! Cisco!! Cisco!!
From http://groups.google.com/group/comp.dcom.sys.cisco/about Top posters This month 18 mer...@geeks.org 11 alagmy 10 bo...@hotmail.co.uk 9 galt...@hotmail.com 9 nom...@example.com 8 troffa...@hotmail.com 8 igor.mamuzicmakni_...@zg.t-com.hr 7 pfisterf...@gmail.com 7 darfun....@gmail.com 6 jfmezei.spam...@vaxination.ca All time 4799 rober...@ibd.nrc-cnrc.gc.ca 2930 aaron@cisco.com 2813 Merv 2370 t...@cisco.com 2356 vcjo...@networkingunlimited.com 1984 b...@cisco.com 1959 bar...@genuity.net 1898 hb...@_nyc.rr.com.remove_ 1745 u...@alp.ee.pbz 1670 bar...@bbnplanet.com -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.myspace.com/502748630 Born 29 Jan 1969 Redhill,Surrey,England UK ...

Site-to-site VPN with NAT
Can I construct a site-to-site VPN between 2 PIX 501's and use a natted network between the sites? Is this possible with ver 6.x software or do I need ver7.x? JHG In article <1147727348.537035.190310@u72g2000cwu.googlegroups.com>, <jhgraves@ddi-wans.com> wrote: >Can I construct a site-to-site VPN between 2 PIX 501's and use a natted >network between the sites? Yes. >Is this possible with ver 6.x software or >do I need ver7.x? If the network uses one-to-one NAT, then you can do it using any release supported on the 501. If the network uses PAT (Port Address Translation) then you need PIX 6.3 and you need "isakmp nat-traversal 20" BTW, PIX 7.x is not supported on the 501 and likely will never be. Adding to Walter's reply: Configure the pixes normally, Then configure VPN normally without using the NAT. If that is working. Configure NAT. Remember to use the natted addresses in the crypto acl. -Vikas ...

site to site vpn with internal NAT
Hello. I have a PIX 501. inside network = 192.168.1.0 255.255.255.0. I need to create a site to site IPSEC VPN through the external interface. on the remote side, there's already a LAN with 192.168.1.0, so they asked me to configure an internal NAT in my system so that when my 192.168.1.101 tries to contact a peer on the remote side, he will be identified as 192.168.48.49. Is this possible? if so - how? Thanks. ...

Help with Site to Site VPN
Group, I have a site-to-site VPN tunnel setup. Cisco Pix515 6.34 on both ends. Both our companies have an internal network scheme of 10.1.20.x I added the line to my config: static (inside,outside) 10.1.20.151 172.16.2.5 netmask 255.255.255.255 0 0 Everything is grand. We have connectivity. *NOW* that machine, 10.1.20.151 can't traceroute anything past the tunnel. I think it's trying to send all traffic across the tunnel. what am I doing wrong? Do i need to do policy routing? if so, can I get an example? On Sep 21, 2:47 pm, troute_kilg...@yahoo.com wrote: > Group, I have a ...

site to site vpn with internal NAT #2
Hello. I have a PIX 501. inside network = 192.168.1.0 255.255.255.0. I need to create a site to site IPSEC VPN through the external interface. on the remote side, there's already a LAN with 192.168.1.0, so they asked me to configure an internal NAT in my system so that when my 192.168.1.101 tries to contact a peer on the remote side, he will be identified as 192.168.48.49. Is this possible? if so - how? Thanks. In article <1131656242.987765.16140@g43g2000cwa.googlegroups.com>, Meni <meni.milstein@gmail.com> wrote: :I have a PIX 501. :inside network = 192.168.1.0 255.255.25...

VPN
Here is my debug and config... it appears as if the tunnel is being set up but I cannot access the remote LAN. Any suggestions? TIA. : Saved : PIX Version 6.3(5) fixup protocol tftp 69 names access-list 102 permit tcp any any eq www access-list 102 permit icmp any any access-list 102 permit icmp any any echo-reply access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.252.0 access-list 101 permit icmp any any access-list NoNAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.252.0 ip address outside 1.1.1.1 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0 global (outside) 1 1.1.4 nat (inside) 0 access-list NoNAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.123 1 sysopt connection permit-ipsec crypto ipsec transform-set abcd1 esp-des esp-md5-hmac crypto map map1 1 ipsec-isakmp crypto map map1 1 match address 101 crypto map map1 1 set peer 4.4.4.4 crypto map map1 1 set transform-set abcd1 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000 : end pixfirewall(config)# ********************************** ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA pa...

PIX 515 nat 0 and vpn site-2-site
Hi NG, i got 2 sites witch i would like to connect via vpn site-2-site. Now with one of the sites i got an nat 0 accesslist statement. And for the second i dlike to nat 0 again. But since it overrites that statement i just can set one single nat 0 statement ...i do not want to nat to these other sites! nat (inside) 0 access-list ACL_SITE_1 ((nat (inside) 0 access-list ACL_SITE_2)) access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z ((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255)) how should i solve this? thank ya Colin -- pix 515E: nat [(...

Site-to-Site VPN & VPN Server
We currently have a site-to-site VPN. We would like to also setup our own VPN so our agents can work from home. When I use the SDM to setup the VPN server, it takes down the site-to-site. Questions are: 1) Is this possible, if so, then thats great :-) 2) If it is possible, is SDM the best in setting up this? Can I have the same IP Sec Policy for both vpns? I haven't had any luck using SDM. Best to go on to CCO and look for some sample configs to help you with this. If you cannot find any, then post your config, and take out the IP"s and passwords so we are not tempted t...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site)
From: Hoff Hoffman [mailto:hoff-remove-this@hp.com]=20 Sent: Wednesday, August 16, 2006 2:06 PM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) JF Mezei wrote: > Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect especially >=20 > If he starts to evaluate migration costs, he might find it cheaper to > migrate to Linux or Windows. Yes, ...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) #2
-----Original Message----- From: Dave Froble [mailto:davef@tsoft-inc.com]=20 Sent: Thursday, August 17, 2006 12:23 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) Stanley F. Quayle wrote: > On 16 Aug 2006 at 14:42, Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect >=20 > Another CHARON-VAX possibility [Shameless Plug Alert (tm)] is to=20 ...

Site to site VPN
Hi, I've got a problem with a site to site VPN. My company runs web services for its customers. As part of the set up for one of them I've had to set up a VPN between us and them (I'm using a safe@office 500P, they're using a PIX). The VPN works well, but when it is up, the customer can no longer access our web service. It's been suggested that they should be using internal IP addresses to access the service, but unfortunately this doesn't work either. As far as I can see, when the VPN is up, all access to our services is being sent down the tunnel rather...

Site to Site VPN Problem
Dear all I am facing a problem in Site to Site VPN between PIX 515E and FireBox the problme is that only one subnet is working as we have 4 vlans (10.0.208.0,10.3.48.0,10.2.0.0,10.1.0.0) and I am only able to access the other side of network (172.16.0.0 in FireBOX) from 10.1.0.0 subnet and while remaining subnets are unable to connect what can be the reason. Below is the config access-list ispf_vpn permit ip 10.0.208.0 255.255.240.0 172.16.0.0 255.255.0.0 access-list ispf_vpn permit ip 172.16.0.0 255.255.0.0 10.0.208.0 255.255.240.0 access-list ispf_vpn permit ip 10.3.48.0 255.255.240.0...

Site to Site VPN Tunnel
I have a site to site VPN tunnel setup. The network diagram can be found at www.virgoletta.com. There are some issues with the VPN tunnel. One is why can't I ping devices through the tunnel? Also, if I try to telnet into a device from the ASA side to the PIX I am not abel to? I looked on the loggs for the ASA and below is the output. However, if I try to telnet from the PIX side to the ASA side I can telnet but cannot ping. If you need me to post the config for both the ASA and PIX let me know. Thank You single_vf %ASA-7-609001: Built local-host inside:10.1.1.4 single_vf %ASA-3-305006: portmap translation creation failed for tcp src inside:10.178.183.68/1025 dst inside:10.1.1.4/23 single_vf %ASA-7-609002: Teardown local-host inside:10.178.183.68 duration 0:00:00 single_vf %ASA-7-609002: Teardown local-host inside:10.1.1.4 duration 0:00:00 ...

sites-to-sites vpn with sonicwall
Hi there, I'm trying to configure a site-to-site vpn using 2 sonicwall PRO with manual key. I've followed the technical paper on sonicwall website but here's my problem: 1- the "green light" is ok in the vpn tab of both sonicwall, so the vpn tunnel is up and running 2- my network is like that (fake addresses) 192.168.1.x --S/w pro 202.202.202.202 ----204.204.204.204S/W pro --192.168.0.x 3- If 192.168.1.x try to ping 192.168.0.x I get this message on the 204 sonic wall: "IPSec packet dropped" from address 202.202.202.202 to 204.204.204.204 4- If I look to the vpn statistic on the Sonicwall "202", I see packet that comes out but not in 5- If I look to the vpn statistics on the sonicwall "204" I see no packet at all I know it's probably a config errors but if somebody could help me it would be greatly appreciated. regards -- Marco Girouard ...

site-2-site VPN
Hi everybody, I was asking about the S2S VPN lately, but have a bit different question now. What are the industry standards / best practices to securely connect two company branches? I was thinking of a VPN connection, but it does not allow one to connect two identical subnets e.g. 10.11.12.0/24 with 10.11.12.0/24. Is there a way to connect two offices via VPN and reduce or eliminate the possibility of subnet overlap? Thanks, AL ALeu schrieb: > I was asking about the S2S VPN lately, but have a bit different question > now. What are the industry standards / best practices to sec...

Web resources about - Cisco 877 NAT and site-site VPN - comp.dcom.sys.cisco

Twitter blocking third party sites and apps that run on the site that don't make them money
TWITTER is taking the fun out of Twitter by blocking access for third party developers it cannot make money from.

The Best Tech News Site That Isn't a Tech News Site That Didn't Exist Yesterday
There are lots of places to get a day’s worth of comprehensive tech coverage. Like the site you’re reading now, for instance. And Techmeme does ...

Deal Sites Selling Deals On Deals Sites: Google Offers Discount on Design Discounter One Kings Lane
... #salesonsalesonsales. The Google deal apparently offers a 50 percent discount to buy items on One Kings Lane , which is itself a discount site ...

Reminder: We're counting buyouts, site-by-site
Check this read-only spreadsheet to see if your worksite is represented in my list of the number of employees qualified for buyouts and the number ...

How To Design A Sex Video Site That Isn't A Porn Site
Building a modern porn site isn't as easy as throwing up some x-rated videos and hoping that people see them. MakeLoveNotPorn.tv is a new type ...

[技术分享]小谈 TMG 建立 IPsec Site-to-Site VPN - 微软大中华区安全博客 - 比特博客
TMG作为微软的网关产品可以和其他产品建立Site-to-Site VPN,这样可以让两端防火墙后面的指定资源实现互访。而IPsec VPN是当前比较流行的VPN,又可以和其他设备兼容。在配置过程中,不少客户遇 ..

Google: Hacked sites far worse than attack sites
The new Safe Browsing section of Google's Transparency Report shows that you face a significantly bigger threat from compromised legit sites ...

Apple adds site-by-site Java support to Safari for OS X 10.6
The latest version of Safari gives Snow Leopard users more control over what Java content is displayed.

Google launches site to help webmasters of hacked sites
Google has launched a site for webmasters whose sites have been hacked, something that the company says happens thousands of times every day. ...

MegaUpload Founder Trots Out New File-Sharing Site Claiming It Totally Isn’t A Pirate Site
( FlyinAce2000 ) Megaupload founder Kim Dotcom celebrated the one-year anniversary of his site getting shut down with the birth of his brand ...

Resources last updated: 3/28/2016 6:46:40 PM