Cisco 1700 Series IPSEC VPN

Discussion in 'Cisco' started by John, Jan 25, 2004.

  1. John

    John Guest

    I'm trying to establish my first IPSEC VPN between to Cisco 1721
    routers with IOS 12.3. I'm pretty green at this so have read numerous
    articles on the process and am struggling to find some consistent
    facts. My current (not working) configuration of one of the routers
    is below. The other is almost identical in the VPN setup(obviously
    with different IPs). I think my problem is with the ACLs. If I
    remove the ACL 101 deny line (see below), I loose access to the router
    from it's WAN port (serial0), I can't even ping it! The other thing
    I'm unsure about is the need of a loopback interface. I have static
    port mappings on both routers, do I need a loopback and what should it
    be. I'm drowning, please help!

    Current configuration : 2155 bytes
    !
    version 12.3
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    service linenumber
    service udp-small-servers
    service tcp-small-servers
    service disable-ip-fast-frag
    !
    hostname OldRouter
    !
    boot-start-marker
    boot system flash c1700-k9o3sy7-mz.123-3b.bin
    boot system flash
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable password 7 14111D040E0538
    !
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    no ip ftp passive
    !
    ip cef
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key key1 address 216.107.218.14
    !
    !
    crypto ipsec transform-set to_NewRouter esp-des esp-md5-hmac
    !
    crypto map MYVPN 10 ipsec-isakmp
    set peer 216.107.218.14
    set transform-set to_NewRouter
    match address 101
    !
    !
    !
    !
    interface FastEthernet0
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    speed auto
    !
    interface Serial0
    description 83.HCGL.896838-CustSruct-DS1-1 to CLMTNHBR
    ip address 216.107.215.122 255.255.255.252
    ip nat outside
    no fair-queue
    service-module t1 timeslots 1-24
    crypto map MYVPN
    !
    ip nat inside source route-map nonat interface Serial0 overload
    ip nat inside source static tcp 192.168.1.1 25 216.107.215.113 25
    extendable
    ip nat inside source static tcp 192.168.1.1 110 216.107.215.113 110
    extendable
    ip nat inside source static tcp 192.168.1.1 80 216.107.215.113 80
    extendable
    ip nat inside source static tcp 192.168.1.1 3389 216.107.215.113 3389
    extendable
    ip nat inside source static tcp 192.168.1.1 443 216.107.215.113 443
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0
    no ip http server
    no ip http secure-server
    !
    !If I remove this line, I can't ping serial0 from the internet!
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map nonat permit 10
    match ip address 122
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 10480616071600
    login
    !
    !
    end

    Any help would be greatly appreciated...
    Thanks in advance.
    John, Jan 25, 2004
    #1
    1. Advertising

  2. John

    Diesel Guest

    : I'm trying to establish my first IPSEC VPN between to Cisco 1721
    : routers with IOS 12.3. I'm pretty green at this so have read numerous
    : articles on the process and am struggling to find some consistent
    : facts. My current (not working) configuration of one of the routers
    : is below. The other is almost identical in the VPN setup(obviously
    : with different IPs). I think my problem is with the ACLs. If I
    : remove the ACL 101 deny line (see below), I loose access to the router
    : from it's WAN port (serial0), I can't even ping it! The other thing
    : I'm unsure about is the need of a loopback interface. I have static
    : port mappings on both routers, do I need a loopback and what should it
    : be. I'm drowning, please help!
    :
    : Current configuration : 2155 bytes
    : !
    : version 12.3
    : service timestamps debug datetime localtime show-timezone
    : service timestamps log datetime localtime show-timezone
    : service password-encryption
    : service linenumber
    : service udp-small-servers
    : service tcp-small-servers
    : service disable-ip-fast-frag
    : !
    : hostname OldRouter
    : !
    : boot-start-marker
    : boot system flash c1700-k9o3sy7-mz.123-3b.bin
    : boot system flash
    : boot-end-marker
    : !
    : logging buffered 4096 debugging
    : enable password 7 14111D040E0538
    : !
    : no aaa new-model
    : ip subnet-zero
    : no ip source-route
    : !
    : !
    : no ip ftp passive
    : !
    : ip cef
    : ip audit notify log
    : ip audit po max-events 100
    : ip ssh break-string
    : no ftp-server write-enable
    : !
    : !
    : !
    : !
    : crypto isakmp policy 10
    : hash md5
    : authentication pre-share
    : crypto isakmp key key1 address 216.107.218.14
    : !
    : !
    : crypto ipsec transform-set to_NewRouter esp-des esp-md5-hmac
    : !
    : crypto map MYVPN 10 ipsec-isakmp
    : set peer 216.107.218.14
    : set transform-set to_NewRouter
    : match address 101
    : !
    : !
    : !
    : !
    : interface FastEthernet0
    : ip address 192.168.1.254 255.255.255.0
    : ip nat inside
    : speed auto
    : !
    : interface Serial0
    : description 83.HCGL.896838-CustSruct-DS1-1 to CLMTNHBR
    : ip address 216.107.215.122 255.255.255.252
    : ip nat outside
    : no fair-queue
    : service-module t1 timeslots 1-24
    : crypto map MYVPN
    : !
    : ip nat inside source route-map nonat interface Serial0 overload
    : ip nat inside source static tcp 192.168.1.1 25 216.107.215.113 25
    : extendable
    : ip nat inside source static tcp 192.168.1.1 110 216.107.215.113 110
    : extendable
    : ip nat inside source static tcp 192.168.1.1 80 216.107.215.113 80
    : extendable
    : ip nat inside source static tcp 192.168.1.1 3389 216.107.215.113 3389
    : extendable
    : ip nat inside source static tcp 192.168.1.1 443 216.107.215.113 443
    : extendable
    : ip classless
    : ip route 0.0.0.0 0.0.0.0 Serial0
    : no ip http server
    : no ip http secure-server
    : !
    : !If I remove this line, I can't ping serial0 from the internet!
    : access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    : access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    : access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    : access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    : !
    : route-map nonat permit 10
    : match ip address 122
    : !
    : !
    : line con 0
    : line aux 0
    : line vty 0 4
    : password 7 10480616071600
    : login
    : !
    : !
    : end
    :
    : Any help would be greatly appreciated...
    : Thanks in advance.


    John,

    first of all you don't need a loopback interface to get this config to work.
    Your acl 101 is needed to specify wich packet's wil be encrypted, modify it
    to:

    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 101 deny ip any any

    then check if your tunnel comes up. (show crypto isakmp sa & show crypto
    ipsec sa)
    enable ipsec debugging on the router for troubleshoot and check the logs.
    (debug crypto isakmp & debug crypto ipsec) maybe you can send them!

    When the tunnel is up but no data transfer is possible, disable "ip cef" and
    use process switching on the interface's (no ip route-cache)

    hope it will work.

    bye
    Diesel, Jan 25, 2004
    #2
    1. Advertising

  3. Hi,

    Try using the security device manager (Cisco SDM) to configure and
    manage your VPN configuration. www.cisco.com/go/sdm.

    Regards,
    Ravikumar

    John wrote:
    > I'm trying to establish my first IPSEC VPN between to Cisco 1721
    > routers with IOS 12.3. I'm pretty green at this so have read numerous
    > articles on the process and am struggling to find some consistent
    > facts. My current (not working) configuration of one of the routers
    > is below. The other is almost identical in the VPN setup(obviously
    > with different IPs). I think my problem is with the ACLs. If I
    > remove the ACL 101 deny line (see below), I loose access to the router
    > from it's WAN port (serial0), I can't even ping it! The other thing
    > I'm unsure about is the need of a loopback interface. I have static
    > port mappings on both routers, do I need a loopback and what should it
    > be. I'm drowning, please help!
    >
    > Current configuration : 2155 bytes
    > !
    > version 12.3
    > service timestamps debug datetime localtime show-timezone
    > service timestamps log datetime localtime show-timezone
    > service password-encryption
    > service linenumber
    > service udp-small-servers
    > service tcp-small-servers
    > service disable-ip-fast-frag
    > !
    > hostname OldRouter
    > !
    > boot-start-marker
    > boot system flash c1700-k9o3sy7-mz.123-3b.bin
    > boot system flash
    > boot-end-marker
    > !
    > logging buffered 4096 debugging
    > enable password 7 14111D040E0538
    > !
    > no aaa new-model
    > ip subnet-zero
    > no ip source-route
    > !
    > !
    > no ip ftp passive
    > !
    > ip cef
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh break-string
    > no ftp-server write-enable
    > !
    > !
    > !
    > !
    > crypto isakmp policy 10
    > hash md5
    > authentication pre-share
    > crypto isakmp key key1 address 216.107.218.14
    > !
    > !
    > crypto ipsec transform-set to_NewRouter esp-des esp-md5-hmac
    > !
    > crypto map MYVPN 10 ipsec-isakmp
    > set peer 216.107.218.14
    > set transform-set to_NewRouter
    > match address 101
    > !
    > !
    > !
    > !
    > interface FastEthernet0
    > ip address 192.168.1.254 255.255.255.0
    > ip nat inside
    > speed auto
    > !
    > interface Serial0
    > description 83.HCGL.896838-CustSruct-DS1-1 to CLMTNHBR
    > ip address 216.107.215.122 255.255.255.252
    > ip nat outside
    > no fair-queue
    > service-module t1 timeslots 1-24
    > crypto map MYVPN
    > !
    > ip nat inside source route-map nonat interface Serial0 overload
    > ip nat inside source static tcp 192.168.1.1 25 216.107.215.113 25
    > extendable
    > ip nat inside source static tcp 192.168.1.1 110 216.107.215.113 110
    > extendable
    > ip nat inside source static tcp 192.168.1.1 80 216.107.215.113 80
    > extendable
    > ip nat inside source static tcp 192.168.1.1 3389 216.107.215.113 3389
    > extendable
    > ip nat inside source static tcp 192.168.1.1 443 216.107.215.113 443
    > extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0
    > no ip http server
    > no ip http secure-server
    > !
    > !If I remove this line, I can't ping serial0 from the internet!
    > access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    > access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    > access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    > access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    > !
    > route-map nonat permit 10
    > match ip address 122
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password 7 10480616071600
    > login
    > !
    > !
    > end
    >
    > Any help would be greatly appreciated...
    > Thanks in advance.
    Ravikumar Eswaran, Jan 26, 2004
    #3
  4. "John" <> wrote in message
    news:...
    > with different IPs). I think my problem is with the ACLs. If I
    > remove the ACL 101 deny line (see below), I loose access to the router
    > from it's WAN port (serial0), I can't even ping it! The other thing


    That has happened for me too. You are using the ACL 101 in the
    crypto map. If you remove it, it is an empty acl matching "everything".
    Now your crypto map config says "everything" should be crypted
    traffic.

    Because your administration session (and ping) is not, the traffic is
    dropped. Everything that should have been crypted but was not
    is just quietly dropped. It must be a some kind of spoof anyway.
    That's the way it works.

    Nasty, uh?? :) Almost as easy as making a mistake with an inbound
    acl dropping your administrative session. Just a bit nastier to figure
    out why the session dropped when you were modifying the acls.
    --
    Harri
    Harri Suomalainen, Jan 26, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pinko_Commie
    Replies:
    1
    Views:
    1,348
    Erik Tamminga
    Mar 6, 2004
  2. godwill

    2600 series and 1700 series

    godwill, Apr 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    2,109
    Hansang Bae
    Apr 9, 2004
  3. G-man
    Replies:
    1
    Views:
    11,648
    Walter Roberson
    Oct 17, 2004
  4. Anand Mohabir
    Replies:
    1
    Views:
    1,077
    Johnny Routin
    Oct 22, 2004
  5. eedxdee
    Replies:
    0
    Views:
    759
    eedxdee
    May 8, 2006
Loading...

Share This Page