Site to Site VPN Issues w/ Cisco Router/NAT - I'm 90% of the way there. :)

Good afternoon,

My company is having some issues deploying a site to site VPN. It's been a rather tricky configuration, as we're connecting to a stock exchange, and they expect the IP's to be in a 10.74.74.0/24 address range, and our systems are actually 192.168.254.0/24 range. So, we need to NAT our addresses to the 10.74.74.0/24 range on the router and then send them across the network. This seems simple, at least in concept. I'm a CCNA, had a good deal of experience working with client to site VPN's and a lot of router/switch configuration - is this something that I should know, or (as it's my belief) this is something at the CCSP/CCNP level, due to the complication of it? Guess that's a judgement call.

Regardless, if someone could help point me in the right direction, I'd greatly appreciate it. You'd be my best friend, at least for some period of time. :)

- John C. Young snipped-for-privacy@nevermind.org

Seems simple enough:

cisco-1841-01#sh ip nat translations Pro Inside global Inside local Outside local Outside global

--- 10.74.74.74 192.168.254.254 --- --- cisco-1841-01#

Here's the contents of a 'sh run', followed by the info on the VPN Tunnel [IPSEC and ISAKMP are both up, yet Tunnel0 remains down, as shown by the showing of the interfaces.

Current configuration : 3138 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname cisco-1841-01 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ! ! ip domain name greenlinetech.com ip multicast-routing ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username jyoung privilege 15 secret 5 $1$Ot0B$uIumFEaZYFnZZzxNYS9D4/ username gschuetz privilege 15 secret 5 $1$HnQY$hi./nAA/8ZWpedcl3e2o7/ username sysadmin privilege 15 secret 5 $1$GdJO$IeI8BBpxK8kYusxsMzPQQ. ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key XXX address THEIROUTSIDEIP ! ! crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac ! crypto map cmevpn 1 ipsec-isakmp set peer THEIROUTSIDEIP set transform-set cmevpn match address 100 ! ! ! ! interface Tunnel0 description CME Tunnel ip address 10.74.2.1 255.255.255.252 ip pim sparse-mode tunnel source 10.74.0.74 tunnel destination 10.74.254.1 ! interface Loopback0 ip address 10.74.0.74 255.255.255.255 ip nat outside ip virtual-reassembly ! interface FastEthernet0/0 description Inside Interface ip address 192.168.254.254 255.255.255.0 ip pim sparse-mode ip nat inside ip nat enable ip virtual-reassembly duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description Outside Interface ip address OUROUTSIDEIP 255.255.255.240 ip access-group 199 in ip nat outside ip virtual-reassembly duplex auto speed 100 crypto map cmevpn ! ip classless ! ! no ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip pim rp-address 10.71.0.5 ip mroute 10.71.0.0 255.255.255.0 Tunnel0 ip nat pool cmevpn 10.74.74.74 10.74.74.74 netmask 255.255.255.0 ip nat inside source static network 192.168.254.254 10.74.74.74 /32 ip nat outside source list cmevpn pool test ! access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.56.0 0.0.0.255 access-list 100 permit ip 10.74.74.0 0.0.0.255 10.1.63.0 0.0.0.255 access-list 100 permit gre host 10.74.0.74 host 10.74.254.1 access-list 100 permit ip 192.168.254.0 0.0.0.255 any access-list 199 permit ip 10.1.16.0 0.0.0.255 10.74.74.0 0.0.0.255 access-list 199 permit ip 10.1.56.0 0.0.0.255 10.74.74.0 0.0.0.255 access-list 199 permit ip 10.1.63.0 0.0.0.255 10.74.74.0 0.0.0.255 access-list 199 permit udp any any eq isakmp access-list 199 permit ahp any any access-list 199 permit esp any any access-list 199 permit gre host 10.74.254.1 host 10.74.0.74 ! route-map cmevpn permit 100 match ip address 100 ! route-map cmevpn permit 199 match ip address 199 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 login local line aux 0 line vty 0 4 access-class 23 in privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh !

The show interfaces:

cisco-1841-01#sh int FastEthernet0/0 is up, line protocol is up Hardware is Gt96k FE, address is 0017.e02e.3ba4 (bia 0017.e02e.3ba4) Description: Inside Interface Internet address is 192.168.254.254/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 7000 bits/sec, 7 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 729009 packets input, 85469439 bytes Received 644978 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 90543 packets output, 6766004 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet0/1 is up, line protocol is up Hardware is Gt96k FE, address is 0017.e02e.3ba5 (bia 0017.e02e.3ba5) Description: Outside Interface Internet address is OUROUTSIDEIP MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 13480 packets input, 2711209 bytes Received 4744 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 10303 packets output, 1094122 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out NVI0 is up, line protocol is up Hardware is NVI MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation UNKNOWN, loopback not set Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Loopback0 is up, line protocol is up Hardware is Loopback Internet address is 10.74.0.74/32 MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation LOOPBACK, loopback not set Last input 15:57:08, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 8 packets output, 564 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Tunnel0 is up, line protocol is down Hardware is Tunnel Description: CME Tunnel Internet address is 10.74.2.1/30 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.74.0.74, destination 10.74.254.1 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out

The VPN Tunnel appears to be up:

cisco-1841-01#sh crypto isakmp sa dst src state conn-id slot status OUROUTSIDEIPHERE CONNECTINGIPHERE MM_SA_SETUP 222 0 ACTIVE OUROUTSIDEIPHERE CONNECTINGIPHERE MM_NO_STATE 221 0 ACTIVE (deleted)

cisco-1841-01#sh crypto ipsec sa

interface: FastEthernet0/1 Crypto map tag: cmevpn, local addr OUROUTSIDEIPHERE

protected vrf: (none) local ident (addr/mask/prot/port): (10.74.0.74/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.74.254.1/255.255.255.255/47/0) current_peer CONNECTINGIPHERE port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE path mtu 1500, ip mtu 1500 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer THEIRIPHERE port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE path mtu 1500, ip mtu 1500 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.16.0/255.255.255.0/0/0) current_peer THEIRIPHERE port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE path mtu 1500, ip mtu 1500 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.56.0/255.255.255.0/0/0) current_peer THEIRIPHERE port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress fa iled: 0 #send errors 0, #recv errors 0

local crypto endpt.: OURIPHERE, remote crypto endpt.: THEIRIPHERE path mtu 1500, ip mtu 1500 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port): (10.74.74.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.63.0/255.255.255.0/0/0) current_peer 64.125.177.134 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 4.79.65.37, remote crypto endpt.: THEIRIPHERE path mtu 1500, ip mtu 1500 current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Reply to
jcy
Loading thread data ...

I haven't configured something like that on IOS, but I've done it a couple of different ways with a PIX.

Before I describe or reference the techniques, some important questions:

1) what the destination IP range is that you have to address in order to communicate with their hosts? (If it is the same 10.74.74/24 address range that they expect you to map into, then things get more complicated.) 2) Which sides need to be able to open new connections to the other? 3) Do you need 1-to-1 address translation as you go across the link, so that they can (for authentication or logging reasons) distinguish your various systems? Or is it acceptable for all of your machines to appear to them to be one IP? Or [cf #2] do they need to be able to directly access a small number of your machines and as far as they are concerned, the rest can all look like one IP ?
Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.