Cisco 837: VPN, static routing, multiple addresses

Discussion in 'Cisco' started by Alistair Young, Oct 11, 2004.

  1. A bit of a puzzler here, at least for me - I've been banging my head
    against this one for four days or so, now, and haven't found the answer
    on the support site, I suspect I might just have blown past my level of
    Cisco competence and don't know where to look to find the answer...

    The situation:

    I have two 800-series routers at two sites (one's an 828 hooked up to an
    SDSL line in London, the other's an 837 hooked to an ADSL line up in NE
    England). Both of these work happily for their original purpose,
    providing an Internet connection to their sites.

    Then I got a new requirement; I need to set up a VPN tunnel between
    these two sites, using the hardware I've got (replacing the routers) not
    being an option. Fine, think I, I should just be able to hook the
    internal network at each side up to the 8XXs, add a secondary address on
    the internal network to the Ethernet0 interface on each, set up a tunnel
    between them, and that should all work.

    (As no private-numbered packets should make it to them from the
    Internet, nor Internet-destined packets be sent there from inside, this
    shouldn't cause a security issue, I figure, and I'll add access-lists on
    the routers to make certain of this when I'm done. Perhaps not optimal,
    but it will meet the requirements.)

    Problem is, it doesn't.

    I've got the tunnel set up between the 828 and the 837, and that works
    fine. Then, I've added the secondary addresses for the Ethernet0
    interfaces, and tested that I can ping those, each from the other, and
    that also works.

    But what I can't do is ping any of the addresses on one internal network
    from the other (or rather, from the other's router). In fact, it seems
    that I can't ping the internal network from the router by default at all:

    <elided>#ping 192.168.188.2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.188.2, timeout is 2 seconds:
    ......
    Success rate is 0 percent (0/5)

    unless I explicitly tell the router to use the secondary address of that
    interface as the source address:

    <elided>#ping
    Protocol [ip]:
    Target IP address: 192.168.188.2
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: 192.168.188.1
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.188.2, timeout is 2 seconds:
    Packet sent with a source address of 192.168.188.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

    which leads me to suspect that by default, all the packets are going out
    with the source address set to the primary address of the interface? I
    *think* this is where my problem lies, but I haven't been able to find a
    way to change the source-address of packets destined for the
    192.168.188.0/24 network. (That said, I'm quite prepared to believe that
    I'm way off-track, here.)

    Anyway, my configuration (this is from the 828 - the local network at
    this side is 192.168.188.0/24; at the other end of the tunnel is
    192.168.217.0/24):

    Current configuration : 2956 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime
    service password-encryption
    !
    hostname <elided>
    !
    logging buffered 16384 informational
    logging rate-limit 30 except warnings
    enable secret 5 <elided>
    !
    username root password 7 <elided>
    clock timezone utc 0
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip tftp source-interface Ethernet0
    no ip domain lookup
    ip domain name <elided>.co.uk
    !
    !
    ip cef
    !
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 0 <elided> address 83.148.130.225 no-xauth
    !
    !
    crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des
    esp-sha-hmac
    mode transport
    !
    crypto map TUNNELMAP 10 ipsec-isakmp
    set peer 83.148.130.225
    set transform-set TUNNEL-TRANSFORM
    match address 116
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface Tunnel0
    ip address 10.0.0.1 255.255.255.252
    keepalive 10 3
    tunnel source 82.151.255.57
    tunnel destination 83.148.130.225
    !
    interface Ethernet0
    description LAN ethernet connection
    ip address 192.168.188.1 255.255.255.0 secondary
    ip address 82.151.255.57 255.255.255.248
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl equipment-type CPE
    dsl operating-mode GSHDSL symmetric annex B
    dsl linerate AUTO
    !
    interface Dialer1
    description SDSL link
    mtu 1458
    bandwidth 1152
    ip unnumbered Ethernet0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encapsulation ppp
    dialer pool 1
    dialer idle-timeout 2147483
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname <elided>
    ppp chap password 7 <elided>
    crypto map TUNNELMAP
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.217.0 255.255.255.0 10.0.0.2
    no ip http server
    ip http access-class 75
    no ip http secure-server
    !
    access-list 75 permit 82.151.255.58 log
    access-list 75 permit 83.148.130.74 log
    access-list 75 permit 192.168.188.2 log
    access-list 75 remark access to router vtys
    access-list 75 deny any log
    access-list 116 permit gre host 82.151.255.57 host 83.148.130.225
    dialer-list 1 protocol ip permit
    no cdp run
    banner exec ^C
    Welcome, you have connected to router $(hostname).$(domain)
    on line $(line).
    ^C
    banner login ^C
    Warning: This is a secure system. Do not log in without proper
    authorisation.
    ^C
    alias exec sdsl show dsl interface atm 0
    alias exec satm show atm traffic
    !
    line con 0
    exec-timeout 120 0
    transport preferred none
    stopbits 1
    line vty 0 4
    access-class 75 in
    exec-timeout 120 0
    length 0
    transport preferred none
    transport input telnet
    !
    scheduler max-task-time 5000
    !
    end

    Any suggestions as to how I can make this work - or suggestions as to
    better approaches - would be *most* gratefully appreciated!

    Many thanks in advance,

    Alistair
     
    Alistair Young, Oct 11, 2004
    #1
    1. Advertising

  2. Alistair Young

    AnyBody43 Guest

    Alistair Young <> wrote in message news:<>...
    > A bit of a puzzler here, at least for me - I've been banging my head
    > against this one for four days or so, now, and haven't found the answer
    > on the support site, I suspect I might just have blown past my level of
    > Cisco competence and don't know where to look to find the answer...


    You approach is not one that I have seen, but that doesn't mean
    that it is incorrect or won't work.

    What we do is:-

    Private address on inside interface.
    Public address on Dialer. (usually a subnet)

    IPSEC vpn Private address to Private address. (peer statement).
    Static NAT additional outside address to inside as required.

    We have no Tunnel interface. The encrypted traffic magically gets
    sent to the appropriate peer.

    You will need access lists to encrypt what you want to, to
    NAT what you want to (i.e. don't nat the traffic destined for
    crypto.

    If you ask I will sanitise one of our configs and post it, but
    I don't have time right now.
     
    AnyBody43, Oct 12, 2004
    #2
    1. Advertising

  3. Alistair Young

    Ana Guest

    Keep it simple and still secure:
    -no gre tunneling needed
    -no nat needed

    Try the following modifications to your routers


    no interface Tunnel0
    interface Ethernet0
    ip address 192.168.188.1 255.255.255.0
    interface Dialer1
    ip address 82.151.255.57 255.255.255.248
    no ip route 192.168.217.0 255.255.255.0 10.0.0.2
    access-list 116 permit ip 192.168.188.0 255.255.255.0 192.168.217.0 255.255.255.0
     
    Ana, Oct 13, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex Buell

    Multiple static IPs with Cisco 837?

    Alex Buell, Dec 17, 2003, in forum: Cisco
    Replies:
    4
    Views:
    601
    Alex Buell
    Dec 18, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,649
  3. junior
    Replies:
    4
    Views:
    745
    junior
    Aug 19, 2005
  4. Replies:
    4
    Views:
    4,207
  5. seanbranagh

    Cisco 837 multiple IP addresses.

    seanbranagh, Mar 29, 2009, in forum: Hardware
    Replies:
    0
    Views:
    3,373
    seanbranagh
    Mar 29, 2009
Loading...

Share This Page