[LONG] VPNClient - NAT - LAN to LAN tunnel

Discussion in 'Cisco' started by AM, Sep 19, 2005.

  1. AM

    AM Guest

    Sorry for weird subject but my post involves each issue.

    I have an 837 configured for a LAN to LAN tunnel with my PIX.
    I decided to connect to my 837 via VPNclient. So I setup all parameters needed. The VPN client connected and connects fine.
    When my target was to connect only to the LAN behind the router everythink worked fine.
    Afterwards I wanted to connect to resources behind the PIX also from the VPNclient. I decided so on the basis that the
    router can rotate packets on the same interface so there are no obstacles from that point of view..

    I created 3 groups for VPNclient

    1) stupid users: they can not surf Internet and can access only 10.168.31.1
    2) normal users: they can not surf Internet and can access all 10.168.31.0/24
    3) power users: they can both access Internet and all 10.168.31.0/24

    the first step was to assign those 3 groups ranges belonging to LAN numbering behind of the router.
    Everything worked fine but someone told me is not a good idea because devices behind the router and accessed from the
    VPNclient could search that VPNclient IP address directly on the LAN without sending packets to the default gateway (the
    router). Access to resources behind the PIX was fine. Packets coming from VPNclient matched against 'LAN to LAN tunnel'
    rules.

    On the basis of the warning I moved to other pools for the VPNclient. But that way, packets coming from client and going
    towards resources behind the PIX are not encrypted as they didn't match L2L tunnel.


    Follow you can see the real configuration and under that changes I would add to permit clients to reach resources behind
    the PIX (I can tell you that those didn't work)

    Finally my configuration is like below:


    -0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname MyRouter
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 TTTTTTTTTTTTTTTTTTTT
    !
    username MyRouter password 7 TTTTTTTTTTTTTTTTTTT
    clock timezone CET 0
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip dhcp excluded-address 10.162.31.0 10.162.31.31
    ip dhcp excluded-address 10.162.31.240 10.162.31.254
    ip dhcp excluded-address 10.162.31.232 10.162.31.239
    !
    ip dhcp pool DHCPPoolLAN_0
    network 10.162.31.0 255.255.255.0
    default-router 10.162.31.254
    dns-server 192.168.218.31 192.168.218.19 158.43.240.4 158.43.240.3
    !
    !
    ip domain name DDDDDDDDDDDDDDD
    ip name-server DDDDDDDDDDDDD
    ip name-server DDDDDDDDDDDDD
    ip inspect name ethernetin esmtp timeout 3600
    ip inspect name ethernetin tcp timeout 3600
    ip inspect name ethernetin cuseeme timeout 3600
    ip inspect name ethernetin ftp timeout 3600
    ip inspect name ethernetin h323 timeout 3600
    ip inspect name ethernetin rcmd timeout 3600
    ip inspect name ethernetin realaudio timeout 3600
    ip inspect name ethernetin sqlnet timeout 3600
    ip inspect name ethernetin streamworks timeout 3600
    ip inspect name ethernetin tftp timeout 30
    ip inspect name ethernetin udp timeout 15
    ip inspect name ethernetin vdolive timeout 3600
    ip ips po max-events 100
    ip ssh authentication-retries 5
    ip ssh version 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 1200
    !
    crypto isakmp policy 10000
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY address RRRRRRRRR no-xauth
    crypto isakmp invalid-spi-recovery
    !
    crypto isakmp client configuration group FFFFFFFFFFFF-USERS
    key group1
    dns 192.168.218.31 192.168.218.19
    domain DDDDDDDDDDDDDDDd
    pool VPNCLIENT-USERS
    !
    crypto isakmp client configuration group LOC_OP
    key group2
    dns 192.168.218.31 192.168.218.19
    domain DDDDDDDDDDDDDDD
    pool VPNCLIENT-LOC_OP
    !
    crypto isakmp client configuration group HQ_OP
    key group3
    dns 192.168.218.31 192.168.218.19
    domain DDDDDDDDDDDDDDD
    pool VPNCLIENT-HQ_OP
    acl 103
    netmask 255.255.255.254
    !
    crypto ipsec security-association lifetime seconds 1200
    !
    crypto ipsec transform-set headquarter esp-3des esp-md5-hmac
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map mydynmap 10
    set transform-set 3DES-SHA
    reverse-route
    !
    !
    crypto map vpnplusclient client authentication list userauthen
    crypto map vpnplusclient isakmp authorization list groupauthor
    crypto map vpnplusclient client configuration address respond
    crypto map vpnplusclient 10 ipsec-isakmp
    set peer DDDDDDDDDDDDDDD
    set transform-set 3DES-SHA
    set pfs group2
    match address 130
    crypto map vpnplusclient 65535 ipsec-isakmp dynamic mydynmap
    !
    !
    !
    interface Ethernet0
    ip address 10.162.31.254 255.255.255.0
    ip access-group 104 out
    ip nat inside
    ip inspect ethernetin in
    ip virtual-reassembly
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    description OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOo
    ip address negotiated
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname FFFFFFFFFFFFFF
    ppp chap password 7 FFFFFFFFFFFFFFFFFFFF
    ppp pap sent-username FFFFFFFFFFFFFFFFFFFF password 7 FFFFFFFFF
    crypto map vpnplusclient
    !
    ip local pool VPNCLIENT-USERS 192.168.61.232 192.168.61.235
    ip local pool VPNCLIENT-LOC_OP 192.168.61.236 192.168.61.237
    ip local pool VPNCLIENT-HQ_OP 192.168.61.238 192.168.61.239
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    no ip http secure-server
    !
    ip nat translation max-entries 2000
    ip nat pool VPNclient2HQ 10.162.31.232 10.162.31.239 prefix-length 24
    ip nat inside source route-map vpn_2hq interface Dialer0 overload
    !
    !
    ip access-list extended vty-access
    permit tcp 10.162.31.0 0.0.0.255 any eq 22
    permit tcp 10.162.31.0 0.0.0.255 any eq telnet
    permit tcp 192.168.218.0 0.0.0.255 any eq 22
    permit tcp 192.168.218.0 0.0.0.255 any eq telnet
    access-list 10 permit 192.168.218.0 0.0.0.255
    access-list 10 permit 10.162.31.0 0.0.0.255
    access-list 103 permit ip 10.162.31.0 0.0.0.255 192.168.61.238 0.0.0.1
    access-list 104 permit ip 192.168.61.232 0.0.0.3 host 10.162.31.1
    access-list 104 deny ip 192.168.61.232 0.0.0.3 10.162.31.0 0.0.0.255
    access-list 104 permit ip any any
    access-list 130 permit ip 10.162.31.0 0.0.0.255 192.168.218.0 0.0.0.255
    access-list 130 permit ip 10.162.31.0 0.0.0.255 host 10.2.1.3
    access-list 130 deny ip any any
    access-list 131 deny ip 10.162.31.0 0.0.0.255 192.168.218.0 0.0.0.255
    access-list 131 deny ip 10.162.31.0 0.0.0.255 192.168.61.232 0.0.0.7
    access-list 131 deny ip 10.162.31.0 0.0.0.255 host 10.2.1.3
    access-list 131 permit ip 10.162.31.0 0.0.0.255 any
    no cdp run
    !
    route-map vpn_2hq permit 10
    match ip address 131
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    access-class vty-access in
    exec-timeout 120 0
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end


    -0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0


    access-list 105 permit ip 192.168.61.232 0.0.0.7 192.168.218.0 0.0.0.255
    ip nat outside source list 105 pool client2HQ
    ip nat pool client2HQ 10.162.31.232 10.162.31.239 netmask 255.255.255.248
    ip route 10.162.31.232 255.255.255.248 dialer 0


    I' m really sorry for the very long post but where I'm wrong?
    BTW I don't want to change L2L rules as I would standardize all of this for all 837 routers connecting to the PIX. It
    mean I should change all 40 rules written on PIX. Moreover I'd use different ip pools for client on different routers.



    Thank you very much to all arrived down to here.


    Alex.
     
    AM, Sep 19, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.