·Frontier FiberOp..
|
Cisco VPN server via double NATSo I'm tinkering with this possibility and hit a bit of a snag.
I have a Netgear router sitting between my home network and the Internet behind a cable modem. I also have a Cisco 1841 sitting behind the Netgear router that I'm looking to use as a VPN server from inside the network instead of right at the cable modem.
Using the config below, I was able to make a VPN connection from the outside via cell phone tethering and a laptop using the Cisco VPN client. But pings to inside hosts within 10.17.12.200/29 are timing out more than responding.
Now this connection is technically a triple NAT. Tethering via cell phone means NAT'ing behind the cell phone in addition to NAT'ing pass the Netgear and the 1841, so I'm wondering if this is the reason behind the timeouts.
This is how the connection goes roughly:
Cell phone --> Internet --> Netgear router --> Cisco 1841
Check out the config below
TIA
router#sh run Building configuration...
Current configuration : 1895 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! enable secret 5 $1$LKq9$fBXDPUoSehOn0iCYvabmL1 ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local ! aaa session-id common ip cef ! ! ! ! ! ! ! username omar password 0 xxx ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnclient key xxx dns 10.17.12.2 domain omarnyc.com pool ippool acl 101 ! ! crypto ipsec transform-set tset1 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set tset1 reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! interface FastEthernet0/0 ip address 10.17.12.201 255.255.255.248 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 10.17.12.6 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map clientmap ! interface Serial0/0/0 no ip address shutdown ! ip local pool ippool 10.18.12.25 10.18.12.30 ip route 0.0.0.0 0.0.0.0 10.17.12.3 ! ! no ip http server no ip http secure-server ip nat inside source list 111 interface FastEthernet0/1 overload ! access-list 10 permit 10.17.12.208 0.0.0.7 access-list 10 permit 10.18.12.24 0.0.0.7 access-list 101 permit ip 10.17.12.200 0.0.0.7 10.18.12.24 0.0.0.7 access-list 111 deny ip 10.17.12.200 0.0.0.7 10.18.12.24 0.0.0.7 access-list 111 permit ip 10.17.12.200 0.0.0.7 any ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 end
|
|
1 recommendation |
aryoba
MVM
2013-Jan-14 9:03 am
Is there a reason why you keep the Netgear router in place instead of replacing with the Cisco 1841? This way your network is simpler to manage and is eliminating possibly funky stuff |
|
|
·Frontier FiberOp..
|
Don't know where I remember reading it that it's best to VPN into a concentrator from behind an edge router than it is to have a VPN headend right at the edge. Correct me if I'm wrong. I agree. So far it's been a PITA getting it to work correct behind a double NAT. |
|
1 edit
1 recommendation |
aryoba
MVM
2013-Jan-14 12:52 pm
There is nothing wrong in dedicating VPN Concentrator separated from edge or Internet router. There is however a concern of having consumer-grade gear such as Netgear in the mix since usually consumer-grade gears can introduce funky stuff without a way to monitor/remove/remediate/adjust.
If your network is small enough, having single 1841 router to be both Internet router and VPN Concentrator should be no problem. Simply monitor the CPU and memory consumption in addition to monitor behavior. You can always scale up by adding another Cisco 1841 when needed. |
|
|
Gotcha Yeah.. I think the Netgear is getting pulled out of the mix. I need to force myself to use CLI more often to manage my home router as it is. Thanks |
|
|
aryoba
MVM
2013-Jan-14 1:06 pm
In regards of NAT issue, you can simply turn off NAT when you have to and use NAT only for specific traffic flow. Check out this forum's FAQ for sample configuration. » Cisco Forum FAQ » Configure router as both Internet router and VPN Concentrator |
|
·Frontier FiberOp..
|
Yeah, I used that example to tinker with this. It basically denies NAT'ing for "interesting" traffic.. or what I was needing between 10.17.12.200/29 and 10.18.12.24/29.. but it was still double NAT at best between the cell phone and the Netgear router.
I'm hoping you're right and it was just the Netgear router. |
|
1 edit |
aryoba
MVM
2013-Jan-14 1:31 pm
Never work with Netgear products, but I'm guessing there should be some options you can turn off NAT for interesting traffic. Cellphone feature is however limited, depending your cellphone make, model, operating system, and the apps you are using. I believe cellphone companies always implement NAT and unless you have bargaining power, there is nothing you can do or say to the cellphone company to turn NAT off. What you can do is to use Wifi network sitting outside the router and to have the laptop to use Wifi network to establish IPSec VPN. |
|
|
to tired_runner
Second aryoba's comments. Unless your Internet package is bigger than what an 1841 can handle, or there's something the Netgear's handling the 1841 can't handle, I say drop the 1841 as the headed to the modem and go from there.
Regards |
|
·Frontier FiberOp..
|
Well gents... I finally came around to remove the Netgear and place the 1841 in its place. I'm now cooking with fire. Below is the winning and current running config.
Thanks again for your help :)
Building configuration...
Current configuration : 2925 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! enable secret 5 xxx ! aaa new-model ! ! aaa authentication login homenet_user_auth local aaa authorization network homenet_group_auth local ! aaa session-id common ip cef ! ! ! ! ip domain name homenet.local ! ! ! username ocintron password 7 xxx ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnaccess key xxx dns 10.17.12.2 domain homenet.local pool vpnpool acl 110 ! ! crypto ipsec transform-set tset1 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set tset1 reverse-route ! ! crypto map clientmap client authentication list homenet_user_auth crypto map clientmap isakmp authorization list homenet_group_auth crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! interface FastEthernet0/0 no ip address ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.17.12.3 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet0/1 ip address dhcp ip nat outside ip virtual-reassembly duplex auto speed auto crypto map clientmap ! interface Serial0/0/0 no ip address shutdown ! ip local pool vpnpool 10.18.12.25 10.18.12.30 ! ! no ip http server no ip http secure-server ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25 ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20 ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21 ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80 ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062 ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443 ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900 ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990 ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000 ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001 ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002 ! access-list 10 permit 10.17.12.25 access-list 100 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7 access-list 100 permit ip 10.17.12.0 0.0.0.255 any access-list 110 permit ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7 ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 access-class 100 in password 7 xxx line vty 5 15 access-class 100 in password 7 xxx ! scheduler allocate 20000 1000 end
|
|