[LONG] VPNClient - NAT - LAN to LAN tunnel 
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by AM on September 19, 2005, 3:48 pm
Please log in for more thread options I have an 837 configured for a LAN to LAN tunnel with my PIX. I decided to connect to my 837 via VPNclient. So I setup all parameters needed. The VPN client connected and connects fine. When my target was to connect only to the LAN behind the router everythink worked fine. Afterwards I wanted to connect to resources behind the PIX also from the VPNclient. I decided so on the basis that the router can rotate packets on the same interface so there are no obstacles from that point of view.. I created 3 groups for VPNclient 1) stupid users: they can not surf Internet and can access only 10.168.31.1 2) normal users: they can not surf Internet and can access all 10.168.31.0/24 3) power users: they can both access Internet and all 10.168.31.0/24 the first step was to assign those 3 groups ranges belonging to LAN numbering behind of the router. Everything worked fine but someone told me is not a good idea because devices behind the router and accessed from the VPNclient could search that VPNclient IP address directly on the LAN without sending packets to the default gateway (the router). Access to resources behind the PIX was fine. Packets coming from VPNclient matched against 'LAN to LAN tunnel' rules. On the basis of the warning I moved to other pools for the VPNclient. But that way, packets coming from client and going towards resources behind the PIX are not encrypted as they didn't match L2L tunnel. Follow you can see the real configuration and under that changes I would add to permit clients to reach resources behind the PIX (I can tell you that those didn't work) Finally my configuration is like below: -0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0 ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname MyRouter ! boot-start-marker boot-end-marker ! enable secret 5 TTTTTTTTTTTTTTTTTTTT ! username MyRouter password 7 TTTTTTTTTTTTTTTTTTT clock timezone CET 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ! ! ip dhcp excluded-address 10.162.31.0 10.162.31.31 ip dhcp excluded-address 10.162.31.240 10.162.31.254 ip dhcp excluded-address 10.162.31.232 10.162.31.239 ! ip dhcp pool DHCPPoolLAN_0 network 10.162.31.0 255.255.255.0 default-router 10.162.31.254 dns-server 192.168.218.31 192.168.218.19 158.43.240.4 158.43.240.3 ! ! ip domain name DDDDDDDDDDDDDDD ip name-server DDDDDDDDDDDDD ip name-server DDDDDDDDDDDDD ip inspect name ethernetin esmtp timeout 3600 ip inspect name ethernetin tcp timeout 3600 ip inspect name ethernetin cuseeme timeout 3600 ip inspect name ethernetin ftp timeout 3600 ip inspect name ethernetin h323 timeout 3600 ip inspect name ethernetin rcmd timeout 3600 ip inspect name ethernetin realaudio timeout 3600 ip inspect name ethernetin sqlnet timeout 3600 ip inspect name ethernetin streamworks timeout 3600 ip inspect name ethernetin tftp timeout 30 ip inspect name ethernetin udp timeout 15 ip inspect name ethernetin vdolive timeout 3600 ip ips po max-events 100 ip ssh authentication-retries 5 ip ssh version 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 1200 ! crypto isakmp policy 10000 encr 3des authentication pre-share group 2 crypto isakmp key YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY address RRRRRRRRR no-xauth crypto isakmp invalid-spi-recovery ! crypto isakmp client configuration group FFFFFFFFFFFF-USERS key group1 dns 192.168.218.31 192.168.218.19 domain DDDDDDDDDDDDDDDd pool VPNCLIENT-USERS ! crypto isakmp client configuration group LOC_OP key group2 dns 192.168.218.31 192.168.218.19 domain DDDDDDDDDDDDDDD pool VPNCLIENT-LOC_OP ! crypto isakmp client configuration group HQ_OP key group3 dns 192.168.218.31 192.168.218.19 domain DDDDDDDDDDDDDDD pool VPNCLIENT-HQ_OP acl 103 netmask 255.255.255.254 ! crypto ipsec security-association lifetime seconds 1200 ! crypto ipsec transform-set headquarter esp-3des esp-md5-hmac crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map mydynmap 10 set transform-set 3DES-SHA reverse-route ! ! crypto map vpnplusclient client authentication list userauthen crypto map vpnplusclient isakmp authorization list groupauthor crypto map vpnplusclient client configuration address respond crypto map vpnplusclient 10 ipsec-isakmp set peer DDDDDDDDDDDDDDD set transform-set 3DES-SHA set pfs group2 match address 130 crypto map vpnplusclient 65535 ipsec-isakmp dynamic mydynmap ! ! ! interface Ethernet0 ip address 10.162.31.254 255.255.255.0 ip access-group 104 out ip nat inside ip inspect ethernetin in ip virtual-reassembly no cdp enable hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer0 description OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOo ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 no cdp enable ppp authentication chap pap callin ppp chap hostname FFFFFFFFFFFFFF ppp chap password 7 FFFFFFFFFFFFFFFFFFFF ppp pap sent-username FFFFFFFFFFFFFFFFFFFF password 7 FFFFFFFFF crypto map vpnplusclient ! ip local pool VPNCLIENT-USERS 192.168.61.232 192.168.61.235 ip local pool VPNCLIENT-LOC_OP 192.168.61.236 192.168.61.237 ip local pool VPNCLIENT-HQ_OP 192.168.61.238 192.168.61.239 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ! ip nat translation max-entries 2000 ip nat pool VPNclient2HQ 10.162.31.232 10.162.31.239 prefix-length 24 ip nat inside source route-map vpn_2hq interface Dialer0 overload ! ! ip access-list extended vty-access permit tcp 10.162.31.0 0.0.0.255 any eq 22 permit tcp 10.162.31.0 0.0.0.255 any eq telnet permit tcp 192.168.218.0 0.0.0.255 any eq 22 permit tcp 192.168.218.0 0.0.0.255 any eq telnet access-list 10 permit 192.168.218.0 0.0.0.255 access-list 10 permit 10.162.31.0 0.0.0.255 access-list 103 permit ip 10.162.31.0 0.0.0.255 192.168.61.238 0.0.0.1 access-list 104 permit ip 192.168.61.232 0.0.0.3 host 10.162.31.1 access-list 104 deny ip 192.168.61.232 0.0.0.3 10.162.31.0 0.0.0.255 access-list 104 permit ip any any access-list 130 permit ip 10.162.31.0 0.0.0.255 192.168.218.0 0.0.0.255 access-list 130 permit ip 10.162.31.0 0.0.0.255 host 10.2.1.3 access-list 130 deny ip any any access-list 131 deny ip 10.162.31.0 0.0.0.255 192.168.218.0 0.0.0.255 access-list 131 deny ip 10.162.31.0 0.0.0.255 192.168.61.232 0.0.0.7 access-list 131 deny ip 10.162.31.0 0.0.0.255 host 10.2.1.3 access-list 131 permit ip 10.162.31.0 0.0.0.255 any no cdp run ! route-map vpn_2hq permit 10 match ip address 131 ! ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class vty-access in exec-timeout 120 0 length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end -0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0 access-list 105 permit ip 192.168.61.232 0.0.0.7 192.168.218.0 0.0.0.255 ip nat outside source list 105 pool client2HQ ip nat pool client2HQ 10.162.31.232 10.162.31.239 netmask 255.255.255.248 ip route 10.162.31.232 255.255.255.248 dialer 0 I' m really sorry for the very long post but where I'm wrong? BTW I don't want to change L2L rules as I would standardize all of this for all 837 routers connecting to the PIX. It mean I should change all 40 rules written on PIX. Moreover I'd use different ip pools for client on different routers. Thank you very much to all arrived down to here. Alex. | ||||||||||
