dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1749
share rss forum feed

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online

Cisco VPN server via double NAT

So I'm tinkering with this possibility and hit a bit of a snag.

I have a Netgear router sitting between my home network and the Internet behind a cable modem. I also have a Cisco 1841 sitting behind the Netgear router that I'm looking to use as a VPN server from inside the network instead of right at the cable modem.

Using the config below, I was able to make a VPN connection from the outside via cell phone tethering and a laptop using the Cisco VPN client. But pings to inside hosts within 10.17.12.200/29 are timing out more than responding.

Now this connection is technically a triple NAT. Tethering via cell phone means NAT'ing behind the cell phone in addition to NAT'ing pass the Netgear and the 1841, so I'm wondering if this is the reason behind the timeouts.

This is how the connection goes roughly:

Cell phone --> Internet --> Netgear router --> Cisco 1841

Check out the config below

TIA


router#sh run
Building configuration...

Current configuration : 1895 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$LKq9$fBXDPUoSehOn0iCYvabmL1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
ip cef
!
!
!
!
!
!
!
username omar password 0 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key xxx
dns 10.17.12.2
domain omarnyc.com
pool ippool
acl 101
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
ip address 10.17.12.201 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.17.12.6 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool ippool 10.18.12.25 10.18.12.30
ip route 0.0.0.0 0.0.0.0 10.17.12.3
!
!
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet0/1 overload
!
access-list 10 permit 10.17.12.208 0.0.0.7
access-list 10 permit 10.18.12.24 0.0.0.7
access-list 101 permit ip 10.17.12.200 0.0.0.7 10.18.12.24 0.0.0.7
access-list 111 deny ip 10.17.12.200 0.0.0.7 10.18.12.24 0.0.0.7
access-list 111 permit ip 10.17.12.200 0.0.0.7 any
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 recommendation

Is there a reason why you keep the Netgear router in place instead of replacing with the Cisco 1841? This way your network is simpler to manage and is eliminating possibly funky stuff


Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online

Don't know where I remember reading it that it's best to VPN into a concentrator from behind an edge router than it is to have a VPN headend right at the edge.

Correct me if I'm wrong. I agree. So far it's been a PITA getting it to work correct behind a double NAT.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

1 recommendation

There is nothing wrong in dedicating VPN Concentrator separated from edge or Internet router. There is however a concern of having consumer-grade gear such as Netgear in the mix since usually consumer-grade gears can introduce funky stuff without a way to monitor/remove/remediate/adjust.

If your network is small enough, having single 1841 router to be both Internet router and VPN Concentrator should be no problem. Simply monitor the CPU and memory consumption in addition to monitor behavior. You can always scale up by adding another Cisco 1841 when needed.


Network Guy
Premium
join:2000-08-25
New York
kudos:2

Gotcha

Yeah.. I think the Netgear is getting pulled out of the mix. I need to force myself to use CLI more often to manage my home router as it is.

Thanks


aryoba
Premium,MVM
join:2002-08-22
kudos:4

In regards of NAT issue, you can simply turn off NAT when you have to and use NAT only for specific traffic flow. Check out this forum's FAQ for sample configuration.

»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator


Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online

Yeah, I used that example to tinker with this. It basically denies NAT'ing for "interesting" traffic.. or what I was needing between 10.17.12.200/29 and 10.18.12.24/29.. but it was still double NAT at best between the cell phone and the Netgear router.

I'm hoping you're right and it was just the Netgear router.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

Never work with Netgear products, but I'm guessing there should be some options you can turn off NAT for interesting traffic. Cellphone feature is however limited, depending your cellphone make, model, operating system, and the apps you are using. I believe cellphone companies always implement NAT and unless you have bargaining power, there is nothing you can do or say to the cellphone company to turn NAT off. What you can do is to use Wifi network sitting outside the router and to have the laptop to use Wifi network to establish IPSec VPN.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Network Guy

Second aryoba's comments. Unless your Internet package is bigger than what an 1841 can handle, or there's
something the Netgear's handling the 1841 can't handle, I say drop the 1841 as the headed to the modem
and go from there.

Regards


Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online
reply to Network Guy

Well gents... I finally came around to remove the Netgear and place the 1841 in its place. I'm now cooking with fire. Below is the winning and current running config.

Thanks again for your help :)


Building configuration...

Current configuration : 2925 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login homenet_user_auth local
aaa authorization network homenet_group_auth local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name homenet.local
!
!
!
username ocintron password 7 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnaccess
key xxx
dns 10.17.12.2
domain homenet.local
pool vpnpool
acl 110
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map clientmap client authentication list homenet_user_auth
crypto map clientmap isakmp authorization list homenet_group_auth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool vpnpool 10.18.12.25 10.18.12.30
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
!
access-list 10 permit 10.17.12.25
access-list 100 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 110 permit ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 100 in
password 7 xxx
line vty 5 15
access-class 100 in
password 7 xxx
!
scheduler allocate 20000 1000
end