dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1711
share rss forum feed

Celald

join:2013-07-12
Spruce Pine, NC

[Config] Review requested: VPN with Cisco behind a DSL-Router

Click for full size
Visio drawing of my network
downloadr009336_vpn_···ized.txt 2,935 bytes
VPN_config_template
  
Hello Forum,

I'm trying to establish a VPN connection between a Cisco 2811 within my network and a counterparty.
I've got from their network department a sample config file (see below), but I think the configuration is not correct.
Let me explain why:

They assume the Cisco is directly connected to the internet with a public IP address. Therfore their config file template
defines the internal interface with the public IP address.
In fact, the Cisco is as an exposed host (means DMZ) behind a DSL-Router with a local IP address. Thus, all requests
to my network with not previously defined port will be forwarded to the Cisco (e.g. »85.1.2.3:80 --> 192.168.100.80:80;
85.1.2.3:* --> 192.168.100.5).

 Counterparty
  |
 Internet
  |
___________________
WAN-IP: 85.1.2.3             [ DMZ
DSL Router (not Cisco)  -----[ Cisco_2811 
LAN-IP 192.168.100.2         [ LAN-IP fe0/0 192.168.100.5, 
___________________          [ def.GW: 192.168.100.2
   |
   |-----------------------v
   |                       |
___________________       ______________________
standard PC                 PC, wish to use VPN
LAN-IP 192.168.100.80     LAN-IP 192.168.100.49
def.GW: 192.168.100.2     def.GW: 192.168.100.5
___________________       ______________________
 
 
(for complete picture, see attachment)

I'm new to Cisco so my experience is very limited. Can someone review the config file and correct it if required?
I made some investigations on web but I'm not sure if and how they are relevant.

- My ADSL-Router (AVM 7390) is capable to VPN passthrough. But the VPN connection shall be aware of NAT-Traversal,
otherwise there is restrictions like "Authentification Header" (AH) can not be used.

Beside that the cisco router is already in the DMZ, I've defined forwarding rules on my DSL router
for ESP and GRE

- Port Forwarding for Cisco ASA 5505 VPN: »supportforums.cisco.com/thread/2158467

- Keywords: ip NAT inside, outside, overload ???

To cut a long story short: please review the attached config file regarding my infrastructure. I try the whole
week but no success :(

Many thanks in advance,
Celal

HELLFIRE
Premium
join:2009-11-25
kudos:18

Re: [Config] Review requested: VPN with Cisco behind a DSL-Route

So if I have this right :

- Your public IP address is 85.1.2.3 on your AVM Fritz
- their public IP address is 193.2.7.6
- phase 1 of the VPN is as follows :

crypto isakmp policy 1
 encryption 3des
 

- phase 2 of the VPN is as follows :

crypto map dbs 1 ipsec-isakmp
 set peer 193.2.7.6
 set transform-set dbsset
 match address 141
 
access-list 141 permit gre host 85.1.2.3 host 193.2.7.6
 
crypto ipsec transform-set dbsset esp-3des esp-sha-hmac
 

both match exactly with what is configured on the other end, yes?

- host 192.168.100.49 wants to use the tunnel, but is NOT behind the 2811, but in fact the AVM Fritz

Other than you have a hell of a Gordian Knot of a design problem... I'll tell you that for starters.

Really dumb question, what is the likelyhood of removing the AVM Fritz entirely, and/or putting it
into bridge mode so the 2811 could get the public IP address?

Regards

Celald

join:2013-07-12
Spruce Pine, NC
Hi Hellfire,

first thanks for your help.

>- Your public IP address is 85.1.2.3 on your AVM Fritz
>- their public IP address is 193.2.7.6

yes to both.

>- phase 1 ...cut...
> ...both match exactly with what is configured on the other end, yes?

I got the configuration from the network department of a big company. So I'm strongly assured it is.

> - host 192.168.100.49 wants to use the tunnel, but is NOT behind the 2811, but in fact the AVM Fritz

Yes, I think. Therefore my post. Actually I set
interface FastEthernet0/0
 ip address 192.168.100.5 255.255.255.0
 ip default-gateway 192.168.100.2 
 ip name-server 192.168.100.2
 
and the cisco is able to reach LAN & WAN and can be reached from WAN & LAN.
When I change to the given template I fear I lost the LAN connection and host .49 can not reach the cisco anymore.

> Other than you have a hell of a Gordian Knot of a design problem... I'll tell you that for starters.

I'm afraid I have :(

>Really dumb question, what is the likelyhood of removing the AVM Fritz entirely,

removing is not possible due

1) the Cisco will be used during the implementation phase of a SW project in my HomeOffice. After the project finishes successfully,
I may buy an HWIC ADSL Interface card and the Cisco will be installed in the associated company of me.

2) My AVM Fritz although handles my phones, fax and there is many port forwardings defined for other components. I'm not sure the Cisco can handle this all from the scratch without investing additional time and money. In fact for the short period of time (short project) it is IMHO to much afford.

And I think it is more flexible if this problem can be solved within my actual infrastructure.

> and/or putting it into bridge mode so the 2811 could get the public IP address?

I don't how! On the contrary I put the Cisco in the DMZ (in AVM jargon so called "exposed host"), which means all request from WAN for a LAN target not defined in the forwarding rules will be forwarded automatically to the cisco, including ESP, GRE.

While I writing this reply it has to come to mind an idea: the main problem is defining the interfaces with Public IPs and thus the LAN connection get lost. How about virtual interfaces or like that. Is the Cisco capable to set two IP addresses to the same physical FastEthernet0/0 interface? If yes, I could set the LAN and WAN address to this virtual interfaces = Cisco became accessible from WAN & LAN.

Is my consideration appropriate?

What about the command crypto isakmp nat-traversal 30?
and nat inside/outside?

If all this is not possible I see as last idea to buy an additional EthernetInterface modul that maps the LAN.

again, thanks for helping.

greetings,
Celal

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Celald
Okay, more questions from your attached config

ip route 0.0.0.0 0.0.0.0 85.1.2.3
 

As the 2811 doesn't have the 85.1.2.3 IP address, this isn't going to do much, I'd remove the line,
or change it to the 192.168.100.2 IP address.

interface FastEthernet0/1
 ip address  90.2.1.2 255.255.255.0
 

Can you explain further What's up with this interface and IP addressing? I thought you were trying
to get the 2811 to have an IP address in the 192.168.x.x range?

interface tunnel
 description To Counterparty
 tunnel source 85.1.2.3
 tunnel destination 193.2.7.6
 keepalive 10 3
 ip address 90.6.7.2 255.255.255.0
 ip pim sparse-mode
 ip mroute-cache
 

access-list 141 permit gre host 85.1.2.3 host 193.2.7.6
 

This lines of config you may want to keep, but again, you're going to have to change it, specifically the
fact that the 2811 doesn't have the 85.1.2.3 IP address.

What you could do, depending on your design requirements, is have the AVM Fritz do your NAT, and have
the 2811 do the VPN. Set a loopback address in the 192.168.x.x range on the 2811 and use that as the
tunnel source in the above config -- that way the tunnel stays permanently up so long as the 2811 is
powered and operating.

said by Celald:

>Really dumb question, what is the likelyhood of removing the AVM Fritz entirely,

removing is not possible due

1) the Cisco will be used during the implementation phase of a SW project in my HomeOffice. After the project finishes successfully,
I may buy an HWIC ADSL Interface card and the Cisco will be installed in the associated company of me.

2) My AVM Fritz although handles my phones, fax and there is many port forwardings defined for other components. I'm not sure the Cisco can handle this all from the scratch without investing additional time and money. In fact for the short period of time (short project) it is IMHO to much afford.

#1 is an issue with your network, #2 is easily fixed. Give me the static NAT / forwardings and I could
easily give you the configs to use. Your choice Celald See Profile on how you want to go...

said by Celald:

How about virtual interfaces or like that. Is the Cisco capable to set two IP addresses to the same physical FastEthernet0/0 interface?

Yes, it's called "IP address x.x.x.x" and "IP address secondary y.y.y.y," but depending on your addressing
and routing, I'd be VERY careful about using it. The key is how you're routing in your own network and
to the ISP -- is your ISP handing you JUST the 85.1.2.3, or are they handing you a block of addresses? Are
they doing routing with you via RIP? OSPF? BGP?

said by Celald:

What about the command crypto isakmp nat-traversal 30?

It just enables NAT-T for VPN.

said by Celald:

and nat inside/outside?

If the AVM Fritz is doing NAT already and you configure another NAT on the 2811, you'll only introduce
a double NAT into the network, and that can break more things than it will fix... and speaking from a
desgin perspective, if you have to NAT more than once, you're likely doing things wrong IMHO.

My 00000010bits

Regards