Re: Router-to-Router Dynamic-to-Static IPSec with NAT

Mate,
this is not a free Cisco support forum. This is a Study forum, like in
studying things, as in trying to understand how things work. I have yet
to see any attempts of yours to understand as in sending some meaningful
questions with debug outputs for crypto isakmp and crypto ipsec
pointing out to the debug line you don't quite understand and want a
help with.

As I mentioned before I loaded up your configs in Dynamips lab and the
tunnel came up straight away. So roughly you are on the right track. It
could be half a dozen of reasons why your current setup is not working.
Look up Cisco IPSec VPNs SRND to validate your design. Build it in the
lab and test it. Start with simple setup of two routers connected back
to back and no NAT, make it working the add NAT. Try to debug as you go,
this will build your confidence when time comes to support the solution
in production or hand it over to BAU team.

There is no shortcuts here, you have to follow this curve if you want to
learn stuff.

HTH
A.

On 11/25/2011 6:09 PM, Arbaaz Khan wrote:
> Hello Alex,
> I feel I provided all the information and problem, sorry if you didnt
> get it clear.
> Let me clear this confusion
> *_So you are still hiding from us what the problem is, are you? :-)_*
> Site-C cannot establish VPN with Site-B [ problem getting Tunnel up
> with Dynamic IP ] I mentioned in my initial post
> _*In the config extract you provided for Site-B you don't have NAT. Do
> you have it in reality?*_
> I mentioned _Dynamic IP with NAT_ [ This is on Site-C ] ; i send
> complete config of Site-C
> Site-B has static IP without NAT
> I wanted someone to look at my config and input if anything I missed out.
>
>
> On Fri, Nov 25, 2011 at 1:37 AM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>
> Hi again.
>
> So you are still hiding from us what the problem is, are you? :-)
>
> From the ISAKMP/IPSec standpoint it looks good, unless you have
> such different versions of IOS on both ends so they use different
> default DH groups (the ones you did not specify on your isakmp
> policy maps).
>
> In the config extract you provided for Site-B you don't have NAT.
> Do you have it in reality?
>
> Anyway, I would encourage you to run some debugs on both ends to
> see where it breaks.
>
> Try to build a model in Dynamips and do some debugging there. Took
> me 5 minutes to clear your configs off unnecessary stuff without
> changing any ISAKMP/IPSec core part and put them on Dynamips, the
> tunnel went up straight away.
>
> Cheers
>
> A.
>
> On 25 November 2011 00:10, Arbaaz Khan <arbaazkhan83_at_gmail.com
> <mailto:arbaazkhan83_at_gmail.com>> wrote:
>
> Hi A
> The configuration of Site-B
> Site-B got other tunnels and to make it simple i removed the
> Access-list for tunnels which are working.
>
> %%%%%%%%%%%%%%%%%%%%%
> Site-B configuration
> %%%%%%%%%%%%%%%%%%%%%
>
> crypto isakmp policy 1
>
> encr 3des
> hash md5
> authentication pre-share
>
> crypto isakmp policy 2
> hash md5
> authentication pre-share
>
> crypto isakmp key cisco address 97.12.118.X
> crypto isakmp key cisco address 217.218.185.x
> crypto isakmp key cisco address 62.249.x.x
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> crypto isakmp keepalive 300
> crypto ipsec transform-set PAC1 esp-des esp-md5-hmac
> crypto ipsec transform-set PAC2 esp-3des esp-md5-hmac
> crypto ipsec transform-set PAC3 esp-3des esp-md5-hmac
> crypto ipsec transform-set PAC4 esp-3des esp-md5-hmac
> crypto dynamic-map MAP 10
> set transforim-set PAC4
> match address PAC4
> crypto map IMAP 5 ipsec-isakmp dynamic MAP
> crypto map IMAP 6 ipsec-isakmp
> set peer 97.12.118.X
> set transform-set PAC1
> match address PAC1
> crypto map IMAP 7 ipsec-isakmp
> set peer 217.218.185.x
> set transform-set PAC2
> match address PAC2
> crypto map IMAP 8 ipsec-isakmp
> set peer 62.249.x.x
> set transform-set PAC3
> match address PAC3
> interface GigabitEthernet0/0
> description Network
> ip address 172.20.20.1 255.255.255.0
> interface GigabitEthernet0/1
> description ISP
> ip address 217.90.12.x 255.255.255.248
> crypto map IMAP
> router eigrp 2
> network 172.20.20.1 0.0.0.0
> no auto-summary
> ip route 0.0.0.0 0.0.0.0 217.90.12.x
> ip route 172.20.245.1 255.255.255.255 217.90.12.x
> ip access-list extended PAC4
> permit ip 172.20.20.0 0.0.0.255 172.20.245.0 0.0.0.255
> permit ip 192.168.2.0 0.0.0.255 172.20.245.0 0.0.0.255
> Thanks
> A Khan
>
> On Thu, Nov 24, 2011 at 2:15 PM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>
> Hi Arbaaz.
>
> What exactly is the problem? Does the connection progress
> from phase 1 to phase 2?
> Any debug outputs?
> Better post at least the config of site B to have a full
> picture of both ends.
>
> Cheers,
> A.
>
>
>
> On 11/24/2011 9:03 PM, Arbaaz Khan wrote:
>> Hi Experts
>> I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
>> Any input is appreciated.
>> To simplify the setup I labled the sites as A,B,C. here goes the details
>> and my configuration.
>>
>>
>> Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
>> NAT ]
>> Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
>> NAT ]
>>
>> Site-A terminates the VPN on Pix 525
>> Site-B terminates the VPN on IOS Router with static Public IP
>> site-C terminates the VPN on IOS Router with Dynamic Public IP
>> Site A - 217.18.1.x
>> Site B - 217.90.12.x
>> Site C - 0.0.0.0 [ Dynamic IP ]
>>
>>
>> %%%%%%%%%%%%
>> Site-C configuration %%
>> %%%%%%%%%%%%%
>>
>> crypto isakmp policy 10
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp key cisco address 217.18.1.X
>> crypto isakmp key cisco address 217.90.12.X
>> crypto isakmp keepalive 300
>> !
>> !
>> crypto ipsec transform-set trans1 esp-des esp-md5-hmac
>> crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 217.18.1.X
>> set transform-set trans1
>> match address FL1
>>
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 217.90.12.X
>> set transform-set trans2
>> match address GW1
>>
>>
>> interface Ethernet0
>> ip address 172.20.245.1 255.255.255.0
>> ip nat inside
>> ip virtual-reassembly
>> ip tcp adjust-mss 1300
>> hold-queue 100 out
>> !
>> interface Ethernet2
>> no ip address
>> pppoe enable
>> pppoe-client dial-pool-number 1
>> hold-queue 100 out
>> !
>> interface ATM0
>> bandwidth 4160
>> no ip address
>> load-interval 30
>> shutdown
>> no atm ilmi-keepalive
>> dsl operating-mode auto
>> pvc 0/50
>> encapsulation aal5mux ppp dialer
>> dialer pool-member 1
>>
>> interface Dialer0
>> bandwidth 4160
>> ip address negotiated
>> ip mtu 1492
>> ip nat outside
>> ip virtual-reassembly
>> encapsulation ppp
>> no ip mroute-cache
>> dialer pool 1
>> dialer-group 1
>> no cdp enable
>> ppp authentication pap callin
>> ppp chap refuse
>> ppp pap sent-username cisco password 7 cisco
>> ppp ipcp address accept
>> crypto map CMAP
>>
>> ip route 0.0.0.0 0.0.0.0 Dialer0
>>
>> ip nat source list INTERNET interface Dialer0 overload
>> !
>> !
>> ip access-list extended INTERNET
>> deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>> deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>> deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>> deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>> permit ip 172.20.245.0 0.0.0.255 any
>>
>> ip access-list extended FL1
>> permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>> permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>>
>> ip access-list extended GW1
>> permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>> permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>>
>> I have no problems on the Tunnel between Site-A and Site-C
>>
>> Thanks
>> A Khan
>>
>>
>> Blogs and organic groups athttp://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 25 2011 - 18:29:12 ART