Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   VPN with DMZ IP address NETed to LAN IP address!!! route-map!!! (http://www.velocityreviews.com/forums/t55076-vpn-with-dmz-ip-address-neted-to-lan-ip-address-route-map.html)

examples20001@gmail.com 02-07-2006 04:05 PM

VPN with DMZ IP address NETed to LAN IP address!!! route-map!!!
 
Hi All,
My H.O and B.O have VPN connection between H.O 172.29.150.0/24 and B.O
172.29.8.0/24.
My B.O has got DMZ segment 192.168.0.1/24. DMZ web&mail server is
access-able from Internet and server IP address 192.168.0.10 is NATed
with a global IP address.
The server 192.168.0.10 in B.O DMZ need`s to be accessed from H.O and
Vice-versa. But we dont want another Tunnel between B.O DMZ and H.O.
i.e H.O rule is that VPN will be only configured between H.O
LAN(172.29.150.0/24) and B.O LAN(172.29.8.0/24) and VPN is working OK
between these segments. But there is a requirment for accessing the B.O
DNZ server to H.O.
So is it possible to setup up another NAT with route-map for DMZ server
address 192.168.0.10 with B.O LAN IP address (ex: 172.29.8.180) like:
Is the below config correct? If not how to configure? Can some body
help on it please.

!
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXX address P.Q.R.28 255.255.255.240
no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HOset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 local-address Loopback1
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer P.Q.R.28
set transform-set HOset
match address 103
!
interface Loopback0
ip address A.B.C.22 255.255.255.255
!
interface Loopback1
ip address A.B.C.23 255.255.255.255
!
interface FastEthernet0/0
description Interface Inside$FW_INSIDE$
ip address 172.29.8.100 255.255.255.0
ip access-group 110 in
ip inspect DEFAULT100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface Outside$FW_OUTSIDE$
ip address 192.168.11.2 255.255.255.0
ip access-group 102 in
ip inspect DEFAULT100 in
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
crypto map SDM_CMAP_1
!
interface Vlan1
description Interface DMZ$FW_DMZ$
ip address 192.168.0.1 255.255.255.0
ip access-group 111 in
ip inspect DEFAULT100 in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip http server
ip http authentication local
ip http secure-server
ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload
<<=======NAT for LAN side pc`s to access Internet=>
ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1
extendable no-alias <<========NAT for Internet side pc`s to access DNZ
server=>
ip nat inside source static 192.168.0.10 172.29.8.180 route-map
VPN-DMZ-LAN extendable no-alias <<======NAT for VPN/LAN side pc`s to
access DNZ server=>
!
access-list 102 remark IPSec Rule
access-list 102 permit icmp any any log
access-list 102 permit ip 172.29.150.0 0.0.0.255 172.29.8.0 0.0.0.255
access-list 102 permit ip any host A.B.C.22
access-list 102 permit ip any host A.B.C.23
access-list 102 permit udp host P.Q.R.28 host A.B.C.23 eq non500-isakmp
access-list 102 permit udp host P.Q.R.28 host A.B.C.23 eq isakmp
access-list 102 permit esp host P.Q.R.28 host A.B.C.23
access-list 102 permit ahp host P.Q.R.28 host A.B.C.23
access-list 102 permit icmp any host A.B.C.23 log
access-list 102 deny ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule -
access-list 103 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule -
access-list 104 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
access-list 104 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 172.29.8.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=17
access-list 110 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
www
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
443
access-list 110 permit tcp 172.29.8.0 0.0.0.255 eq 12345 host
192.168.0.10
access-list 110 permit icmp host 172.29.8.100 any log
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq domain
access-list 110 permit udp 172.29.8.0 0.0.0.255 any eq domain
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq smtp
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq pop3
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq ftp
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq www
access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq 443
access-list 110 permit icmp 172.29.8.0 0.0.0.255 host 192.168.0.10
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
135
access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
135
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
137
access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
netbios-ns
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
138
access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
netbios-dgm
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
139
access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
netbios-ss
access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
445
access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
445
access-list 110 permit ip host 172.29.8.22 any
access-list 110 deny ip any any log
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
12345
access-list 111 permit icmp host 192.168.0.10 172.29.8.0 0.0.0.255
access-list 111 permit udp 192.168.0.0 0.0.0.255 any eq domain
access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq 443
access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq ftp
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
135
access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
135
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
137
access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
netbios-ns
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
138
access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
netbios-dgm
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
139
access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
netbios-ss
access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
445
access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
445
access-list 111 deny ip any any log
access-list 115 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 104
!
route-map VPN-DMZ-LAN permit 1
match ip address 115
!
end



All times are GMT. The time now is 05:52 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.