VPN with DMZ IP address NETed to LAN IP address!!! route-map!!!

Discussion in 'Cisco' started by examples20001@gmail.com, Feb 7, 2006.

  1. Guest

    Hi All,
    My H.O and B.O have VPN connection between H.O 172.29.150.0/24 and B.O
    172.29.8.0/24.
    My B.O has got DMZ segment 192.168.0.1/24. DMZ web&mail server is
    access-able from Internet and server IP address 192.168.0.10 is NATed
    with a global IP address.
    The server 192.168.0.10 in B.O DMZ need`s to be accessed from H.O and
    Vice-versa. But we dont want another Tunnel between B.O DMZ and H.O.
    i.e H.O rule is that VPN will be only configured between H.O
    LAN(172.29.150.0/24) and B.O LAN(172.29.8.0/24) and VPN is working OK
    between these segments. But there is a requirment for accessing the B.O
    DNZ server to H.O.
    So is it possible to setup up another NAT with route-map for DMZ server
    address 192.168.0.10 with B.O LAN IP address (ex: 172.29.8.180) like:
    Is the below config correct? If not how to configure? Can some body
    help on it please.

    !
    ip cef
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXXXXXXXX address P.Q.R.28 255.255.255.240
    no-xauth
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 30 periodic
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set HOset esp-3des esp-sha-hmac
    crypto ipsec df-bit clear
    !
    crypto map SDM_CMAP_1 local-address Loopback1
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    set peer P.Q.R.28
    set transform-set HOset
    match address 103
    !
    interface Loopback0
    ip address A.B.C.22 255.255.255.255
    !
    interface Loopback1
    ip address A.B.C.23 255.255.255.255
    !
    interface FastEthernet0/0
    description Interface Inside$FW_INSIDE$
    ip address 172.29.8.100 255.255.255.0
    ip access-group 110 in
    ip inspect DEFAULT100 in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description Interface Outside$FW_OUTSIDE$
    ip address 192.168.11.2 255.255.255.0
    ip access-group 102 in
    ip inspect DEFAULT100 in
    ip nat outside
    ip virtual-reassembly
    speed 10
    full-duplex
    crypto map SDM_CMAP_1
    !
    interface Vlan1
    description Interface DMZ$FW_DMZ$
    ip address 192.168.0.1 255.255.255.0
    ip access-group 111 in
    ip inspect DEFAULT100 in
    ip nat inside
    ip virtual-reassembly
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.11.1
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0
    ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload
    <<=======NAT for LAN side pc`s to access Internet=>
    ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1
    extendable no-alias <<========NAT for Internet side pc`s to access DNZ
    server=>
    ip nat inside source static 192.168.0.10 172.29.8.180 route-map
    VPN-DMZ-LAN extendable no-alias <<======NAT for VPN/LAN side pc`s to
    access DNZ server=>
    !
    access-list 102 remark IPSec Rule
    access-list 102 permit icmp any any log
    access-list 102 permit ip 172.29.150.0 0.0.0.255 172.29.8.0 0.0.0.255
    access-list 102 permit ip any host A.B.C.22
    access-list 102 permit ip any host A.B.C.23
    access-list 102 permit udp host P.Q.R.28 host A.B.C.23 eq non500-isakmp
    access-list 102 permit udp host P.Q.R.28 host A.B.C.23 eq isakmp
    access-list 102 permit esp host P.Q.R.28 host A.B.C.23
    access-list 102 permit ahp host P.Q.R.28 host A.B.C.23
    access-list 102 permit icmp any host A.B.C.23 log
    access-list 102 deny ip any any log
    access-list 103 remark SDM_ACL Category=4
    access-list 103 remark IPSec Rule -
    access-list 103 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
    access-list 104 remark SDM_ACL Category=2
    access-list 104 remark IPSec Rule -
    access-list 104 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
    access-list 104 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255
    access-list 104 permit ip 192.168.0.0 0.0.0.255 any
    access-list 104 permit ip 172.29.8.0 0.0.0.255 any
    access-list 110 remark SDM_ACL Category=17
    access-list 110 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    www
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    443
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 eq 12345 host
    192.168.0.10
    access-list 110 permit icmp host 172.29.8.100 any log
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq domain
    access-list 110 permit udp 172.29.8.0 0.0.0.255 any eq domain
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq smtp
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq pop3
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq ftp
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq www
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 any eq 443
    access-list 110 permit icmp 172.29.8.0 0.0.0.255 host 192.168.0.10
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    135
    access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    135
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    137
    access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    netbios-ns
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    138
    access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    netbios-dgm
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    139
    access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    netbios-ss
    access-list 110 permit tcp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    445
    access-list 110 permit udp 172.29.8.0 0.0.0.255 host 192.168.0.10 eq
    445
    access-list 110 permit ip host 172.29.8.22 any
    access-list 110 deny ip any any log
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    12345
    access-list 111 permit icmp host 192.168.0.10 172.29.8.0 0.0.0.255
    access-list 111 permit udp 192.168.0.0 0.0.0.255 any eq domain
    access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq www
    access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq 443
    access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
    access-list 111 permit tcp 192.168.0.0 0.0.0.255 any eq ftp
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    135
    access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    135
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    137
    access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    netbios-ns
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    138
    access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    netbios-dgm
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    139
    access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    netbios-ss
    access-list 111 permit tcp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    445
    access-list 111 permit udp host 192.168.0.10 172.29.8.0 0.0.0.255 eq
    445
    access-list 111 deny ip any any log
    access-list 115 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255
    route-map SDM_RMAP_1 permit 1
    match ip address 104
    !
    route-map VPN-DMZ-LAN permit 1
    match ip address 115
    !
    end
     
    , Feb 7, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bjoern Frantzen
    Replies:
    2
    Views:
    1,008
    Rik Bain
    Feb 11, 2004
  2. AM
    Replies:
    3
    Views:
    651
  3. Replies:
    1
    Views:
    5,222
    Barry Margolin
    Aug 13, 2005
  4. Replies:
    9
    Views:
    5,303
    Scott Perry
    Aug 7, 2008
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    559
    bod43
    Jul 27, 2009
Loading...

Share This Page