Solved

Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

Posted on 2004-10-06
4
912 Views
Last Modified: 2012-05-05
This is a conceptual/architectural question at the moment.  I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.

I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E

nameif ethernet0 outside security0
nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1
nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1
nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1
nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1

The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router
The 837 has NAT established
Uses Route Map SDM_RMAP_1 that in turn uses access-list 101
access-list 101
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255
permit ip 10.13.0.0 0.0.255.255 any

There is NO firewall configured on the 837

The VPN tunnel uses IPSec rule  100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255

I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24
I can ping 10.7.30.1 from the local client

From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)

So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.

I thought (& have tried) that
a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd
b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic

I think I've missed a step because
i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit
ii. ping still fails
0
Comment
Question by:MarkNethercott
  • 2
4 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12237543
You need to add the 10.7.20.0/24 network to your crypto access list on the 837 router.

The VPN tunnel uses IPSec rule  100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255   <===add this

Also make sure that your tunnel definition on the concentrator matches the remote end.  A best practice is to mirror your crypto ACLs for each VPN tunnel.
0
 

Author Comment

by:MarkNethercott
ID: 12237627
Thanks for the response.

I've tried that earlier (a) above), which didn't fix the issue, though I may need to add in some extra bits...

1. Do I need (or not need) to add the NAT acl modification to prevent 10.7.20 traffic?
2. Does the VPN tunnel definition at the concentrator need to allow traffic to 10.7.20.0 as well as 10.7.30.0 even though it's being routed across the 10.7.30 network?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 12238372
Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:

Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.

deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 any
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12238956
WIthout seeing your config, I don't know what your access list 100 is doing.  You may want to sanitize and post your config.

Below is a sample configlet from my IPSEC lab setup.  This config allows traffic from 192.168.1.0/24 destined for several networks to be encrypted.  Access list 105 describes the "interesting" traffic.  Interesting traffic is any source of 192.168.1.0/24 and any of the following destination networks: 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 192.168.2.0/24 and 192.168.3.0/24.  Any traffic from 192.168.1.0/24 destined for any of the 5 networks will trigger the IPSEC negotiation.

!
crypto isakmp policy 100
 hash md5
 authentication pre-share
 group 2
 lifetime 2800
crypto isakmp key cisco address 192.168.2.2
!
crypto ipsec transform-set myset ah-md5-hmac esp-des esp-md5-hmac
!
crypto map mymap 100 ipsec-isakmp  
 set peer 192.168.2.2
 set transform-set myset
 set pfs group2
 match address 105
!
interface Loopback0
 no ip address
!
interface Ethernet0
 ip address 192.168.1.5 255.255.255.0
!
interface Serial0
 ip address 192.168.2.1 255.255.255.252
 clockrate 56000
 crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.1.1.0 255.255.255.0 Serial0
no ip http server
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now