Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 837: VPN, static routing, multiple addresses

Reply
Thread Tools

Cisco 837: VPN, static routing, multiple addresses

 
 
Alistair Young
Guest
Posts: n/a
 
      10-11-2004
A bit of a puzzler here, at least for me - I've been banging my head
against this one for four days or so, now, and haven't found the answer
on the support site, I suspect I might just have blown past my level of
Cisco competence and don't know where to look to find the answer...

The situation:

I have two 800-series routers at two sites (one's an 828 hooked up to an
SDSL line in London, the other's an 837 hooked to an ADSL line up in NE
England). Both of these work happily for their original purpose,
providing an Internet connection to their sites.

Then I got a new requirement; I need to set up a VPN tunnel between
these two sites, using the hardware I've got (replacing the routers) not
being an option. Fine, think I, I should just be able to hook the
internal network at each side up to the 8XXs, add a secondary address on
the internal network to the Ethernet0 interface on each, set up a tunnel
between them, and that should all work.

(As no private-numbered packets should make it to them from the
Internet, nor Internet-destined packets be sent there from inside, this
shouldn't cause a security issue, I figure, and I'll add access-lists on
the routers to make certain of this when I'm done. Perhaps not optimal,
but it will meet the requirements.)

Problem is, it doesn't.

I've got the tunnel set up between the 828 and the 837, and that works
fine. Then, I've added the secondary addresses for the Ethernet0
interfaces, and tested that I can ping those, each from the other, and
that also works.

But what I can't do is ping any of the addresses on one internal network
from the other (or rather, from the other's router). In fact, it seems
that I can't ping the internal network from the router by default at all:

<elided>#ping 192.168.188.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.188.2, timeout is 2 seconds:
......
Success rate is 0 percent (0/5)

unless I explicitly tell the router to use the secondary address of that
interface as the source address:

<elided>#ping
Protocol [ip]:
Target IP address: 192.168.188.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.188.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.188.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.188.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

which leads me to suspect that by default, all the packets are going out
with the source address set to the primary address of the interface? I
*think* this is where my problem lies, but I haven't been able to find a
way to change the source-address of packets destined for the
192.168.188.0/24 network. (That said, I'm quite prepared to believe that
I'm way off-track, here.)

Anyway, my configuration (this is from the 828 - the local network at
this side is 192.168.188.0/24; at the other end of the tunnel is
192.168.217.0/24):

Current configuration : 2956 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname <elided>
!
logging buffered 16384 informational
logging rate-limit 30 except warnings
enable secret 5 <elided>
!
username root password 7 <elided>
clock timezone utc 0
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
no ip source-route
ip tftp source-interface Ethernet0
no ip domain lookup
ip domain name <elided>.co.uk
!
!
ip cef
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 <elided> address 83.148.130.225 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des
esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 83.148.130.225
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Null0
no ip unreachables
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
keepalive 10 3
tunnel source 82.151.255.57
tunnel destination 83.148.130.225
!
interface Ethernet0
description LAN ethernet connection
ip address 192.168.188.1 255.255.255.0 secondary
ip address 82.151.255.57 255.255.255.248
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface Dialer1
description SDSL link
mtu 1458
bandwidth 1152
ip unnumbered Ethernet0
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
ppp authentication chap callin
ppp chap hostname <elided>
ppp chap password 7 <elided>
crypto map TUNNELMAP
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.217.0 255.255.255.0 10.0.0.2
no ip http server
ip http access-class 75
no ip http secure-server
!
access-list 75 permit 82.151.255.58 log
access-list 75 permit 83.148.130.74 log
access-list 75 permit 192.168.188.2 log
access-list 75 remark access to router vtys
access-list 75 deny any log
access-list 116 permit gre host 82.151.255.57 host 83.148.130.225
dialer-list 1 protocol ip permit
no cdp run
banner exec ^C
Welcome, you have connected to router $(hostname).$(domain)
on line $(line).
^C
banner login ^C
Warning: This is a secure system. Do not log in without proper
authorisation.
^C
alias exec sdsl show dsl interface atm 0
alias exec satm show atm traffic
!
line con 0
exec-timeout 120 0
transport preferred none
stopbits 1
line vty 0 4
access-class 75 in
exec-timeout 120 0
length 0
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
!
end

Any suggestions as to how I can make this work - or suggestions as to
better approaches - would be *most* gratefully appreciated!

Many thanks in advance,

Alistair
 
Reply With Quote
 
 
 
 
AnyBody43
Guest
Posts: n/a
 
      10-12-2004
Alistair Young <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> A bit of a puzzler here, at least for me - I've been banging my head
> against this one for four days or so, now, and haven't found the answer
> on the support site, I suspect I might just have blown past my level of
> Cisco competence and don't know where to look to find the answer...


You approach is not one that I have seen, but that doesn't mean
that it is incorrect or won't work.

What we do is:-

Private address on inside interface.
Public address on Dialer. (usually a subnet)

IPSEC vpn Private address to Private address. (peer statement).
Static NAT additional outside address to inside as required.

We have no Tunnel interface. The encrypted traffic magically gets
sent to the appropriate peer.

You will need access lists to encrypt what you want to, to
NAT what you want to (i.e. don't nat the traffic destined for
crypto.

If you ask I will sanitise one of our configs and post it, but
I don't have time right now.
 
Reply With Quote
 
 
 
 
Ana
Guest
Posts: n/a
 
      10-13-2004
Keep it simple and still secure:
-no gre tunneling needed
-no nat needed

Try the following modifications to your routers


no interface Tunnel0
interface Ethernet0
ip address 192.168.188.1 255.255.255.0
interface Dialer1
ip address 82.151.255.57 255.255.255.248
no ip route 192.168.217.0 255.255.255.0 10.0.0.2
access-list 116 permit ip 192.168.188.0 255.255.255.0 192.168.217.0 255.255.255.0
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 871 Router - Multiple IP Addresses Vincent Cisco 4 06-27-2007 08:19 PM
How to implement a firewall for Windows platform that blocks based on Mac addresses instead of IP addresses cagdas.gerede@gmail.com C Programming 1 12-07-2006 04:30 AM
Physical Addresses VS. Logical Addresses namespace1 C++ 3 11-29-2006 03:07 PM
multiple IP addresses on Cisco PIX Simon Cisco 0 03-16-2005 11:24 PM
Multiple IP addresses from ISP on a cisco 827h? Brent Atkerson Cisco 0 07-28-2004 05:23 PM



Advertisments