cisco 1812 vpn to cisco 853.. can't connect together.
Creating a VPN between sites..
Two SiteS:
Main Office
Router IP: 38.154.X.2 (255.255.255.0)
Internal IP: 192.168.30.1 (255.255.255.0)
Branch Office:
Router IP: 66.42.x.84 (255.255.255.0)
Internal IP: 192.168.0.5 (255.255.255.0)
--------------------------
The Connection is as follows
CISCO 1812 Router ---> Internet ---> Netgear RP 114 DSL Router/Hub ---> CISCO 853
38.154.X.2 ---> internet ---> 66.42.X.84 ---> 192.168.0.5
--------------------------
I'm Trying to setup a VPN between the routers. I'm using the Cisco SDM Router Management tool to configure the connecions.
when i test the vpn tunnel from the remote and the main office, i get the same error message on both:
Failure Reason (From Branch Office): There is a response from the peer 38.154.X.2 but the tunnel is not up.
Recommended Action(s) (From Branch Office Router): Ensure that the peer device is configured properly. Generate the mirror configuratin from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration.
--------------------------
I have taken a look at the mirrored configuration and i still can't figure out what's going on here.
please help !
** i'll assign more points on later once i get them from other questions...
Two SiteS:
Main Office
Router IP: 38.154.X.2 (255.255.255.0)
Internal IP: 192.168.30.1 (255.255.255.0)
Branch Office:
Router IP: 66.42.x.84 (255.255.255.0)
Internal IP: 192.168.0.5 (255.255.255.0)
--------------------------
The Connection is as follows
CISCO 1812 Router ---> Internet ---> Netgear RP 114 DSL Router/Hub ---> CISCO 853
38.154.X.2 ---> internet ---> 66.42.X.84 ---> 192.168.0.5
--------------------------
I'm Trying to setup a VPN between the routers. I'm using the Cisco SDM Router Management tool to configure the connecions.
when i test the vpn tunnel from the remote and the main office, i get the same error message on both:
Failure Reason (From Branch Office): There is a response from the peer 38.154.X.2 but the tunnel is not up.
Recommended Action(s) (From Branch Office Router): Ensure that the peer device is configured properly. Generate the mirror configuratin from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration.
--------------------------
I have taken a look at the mirrored configuration and i still can't figure out what's going on here.
please help !
** i'll assign more points on later once i get them from other questions...
You will need to post your configuration. We need to verify the configuration.
ASKER
Main Office Configuration:
if you need more information, please let me know...
--------------------------
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username:
Username: admin
Password:
router#SHOW CONFIG
Using 5037 out of 196600 bytes
!
! Last configuration change at 11:42:19 PCTime Wed Apr 26 2006 by cisco
! NVRAM config last updated at 11:42:23 PCTime Wed Apr 26 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 $1$G/O9$yUdLrne0.1FPPUloLS
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name aconet.us
ip name-server 38.9.x.2
ip name-server 39.9.x.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address 38.154.x.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface FastEthernet5
no ip address
no cdp enable
!
interface FastEthernet6
no ip address
no cdp enable
!
interface FastEthernet7
no ip address
no cdp enable
!
interface FastEthernet8
no ip address
no cdp enable
!
interface FastEthernet9
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.30.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 38.154.x.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
if you need more information, please let me know...
--------------------------
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username:
Username: admin
Password:
router#SHOW CONFIG
Using 5037 out of 196600 bytes
!
! Last configuration change at 11:42:19 PCTime Wed Apr 26 2006 by cisco
! NVRAM config last updated at 11:42:23 PCTime Wed Apr 26 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 $1$G/O9$yUdLrne0.1FPPUloLS
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name aconet.us
ip name-server 38.9.x.2
ip name-server 39.9.x.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address 38.154.x.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface FastEthernet5
no ip address
no cdp enable
!
interface FastEthernet6
no ip address
no cdp enable
!
interface FastEthernet7
no ip address
no cdp enable
!
interface FastEthernet8
no ip address
no cdp enable
!
interface FastEthernet9
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.30.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 38.154.x.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
Ok, let me make sure we are on the same page. You wanted to configure IPSEC (VPN) between 1812 and 853.
And you used the SDM to configure the two sites. Correct? Is the configuration you posted the most recent config?
Because I don't see a single IPSEC command in there. It is not configured for VPN connection at all.
I don't do much configuration using SDM, but I can give you the CLI commands you need to configure on both sides.
And you used the SDM to configure the two sites. Correct? Is the configuration you posted the most recent config?
Because I don't see a single IPSEC command in there. It is not configured for VPN connection at all.
I don't do much configuration using SDM, but I can give you the CLI commands you need to configure on both sides.
ASKER
if you have the CLI codes readly available, i'll take them..
i'll pull the newest most recent (which that should be above) config from the router in the morning and post it here (EST HERE)...
i'll pull the newest most recent (which that should be above) config from the router in the morning and post it here (EST HERE)...
The configuration below is for the main office, replace <password> with the actual preshared key you want. This should be the same on both sides. Now for the branch office configuration, I need to see the existing config on that site so I can give you the commands that you need.
access-list 120 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto isakmp policy 10
encr 3des
group 2
hash sha
authentication pre-share
exit
crypto isakmp key <password> address 66.42.x.84
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
exit
crypto map vpn_main 10 ipsec-isakmp
set peer 66.42.x.84
set transform-set 3des
match address 110
exit
interface Vlan1
no ip nat inside
exit
clear ip nat trans * --> Do this command in privilege mode, not in configuration mode
no ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source list 120 interface FastEthernet1 overload
interface Vlan1
ip nat inside
exit
interface FastEthernet1
no ip access-group 101 in
exit
no access-list 101
access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 permit esp any host 38.154.x.2
access-list 101 permit udp any host 38.154.x.2 eq 500
access-list 101 permit udp any host 38.154.x.2 eq 4500
access-list 101 permit ip 192.168.0.0 0.0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
interface FastEthernet1
ip access-group 101 in
crypto map vpn_main
access-list 120 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto isakmp policy 10
encr 3des
group 2
hash sha
authentication pre-share
exit
crypto isakmp key <password> address 66.42.x.84
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
exit
crypto map vpn_main 10 ipsec-isakmp
set peer 66.42.x.84
set transform-set 3des
match address 110
exit
interface Vlan1
no ip nat inside
exit
clear ip nat trans * --> Do this command in privilege mode, not in configuration mode
no ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source list 120 interface FastEthernet1 overload
interface Vlan1
ip nat inside
exit
interface FastEthernet1
no ip access-group 101 in
exit
no access-list 101
access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 permit esp any host 38.154.x.2
access-list 101 permit udp any host 38.154.x.2 eq 500
access-list 101 permit udp any host 38.154.x.2 eq 4500
access-list 101 permit ip 192.168.0.0 0.0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
interface FastEthernet1
ip access-group 101 in
crypto map vpn_main
ASKER
Using 8548 out of 196600 bytes
!
! Last configuration change at 09:55:56 PCTime Thu May 11 2006 by admin
! NVRAM config last updated at 09:55:59 PCTime Thu May 11 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.US
ip name-server 38.9.X.2
ip name-server 38.9.X.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 66.42.x.84
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to66.42.X.84
set peer 66.42.x.84
set transform-set ESP-3DES-SHA1
match address 104
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 38.154.x.2 255.255.255.0
ip verify unicast reverse-path
ip mask-reply
ip directed-broadcast
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface FastEthernet5
no ip address
no cdp enable
!
interface FastEthernet6
no ip address
no cdp enable
!
interface FastEthernet7
no ip address
no cdp enable
!
interface FastEthernet8
no ip address
no cdp enable
!
interface FastEthernet9
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.30.1 255.255.255.0
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 38.154.x.1
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.10.200 21 38.154.x.2 21 extendable
ip nat inside source static tcp 192.168.10.200 25 38.154.x.2 25 extendable
ip nat inside source static tcp 192.168.10.200 80 38.154.x.2 80 extendable
ip nat inside source static tcp 192.168.10.200 110 38.154.x.2 110 extendable
ip nat inside source static tcp 192.168.10.200 443 38.154.x.2 443 extendable
ip nat inside source static tcp 192.168.10.100 1494 38.154.x.2 1494 extendable
ip nat inside source static tcp 192.168.10.210 1723 38.154.x.2 1723 extendable
ip nat inside source static tcp 192.168.10.100 3389 38.154.x.2 3389 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.30.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 38.154.X.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 38.154.x.0 0.0.0.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any host 38.154.x.2 eq 3389
access-list 106 permit tcp any host 38.154.x.2 eq 1723
access-list 106 permit tcp any host 38.154.x.2 eq 1494
access-list 106 permit tcp any host 38.154.x.2 eq pop3
access-list 106 permit tcp any host 38.154.x.2 eq www
access-list 106 permit tcp any host 38.154.x.2 eq smtp
access-list 106 permit tcp any host 38.154.x.2 eq ftp
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit ahp host 66.42.x.84 host 38.154.x.2
access-list 106 permit esp host 66.42.x.84 host 38.154.x.2
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq isakmp
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq non500-isakmp
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 106 deny ip 192.168.30.0 0.0.0.255 any
access-list 106 permit icmp any host 38.154.x.2 echo-reply
access-list 106 permit icmp any host 38.154.x.2 time-exceeded
access-list 106 permit icmp any host 38.154.x.2 unreachable
access-list 106 permit tcp any host 38.154.x.2 eq 443
access-list 106 permit tcp any host 38.154.x.2 eq 22
access-list 106 permit tcp any host 38.154.x.2 eq cmd
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 deny ip any any log
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.30.0 0.0.0.255 any
access-list 107 deny ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
!
! Last configuration change at 09:55:56 PCTime Thu May 11 2006 by admin
! NVRAM config last updated at 09:55:59 PCTime Thu May 11 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.US
ip name-server 38.9.X.2
ip name-server 38.9.X.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 66.42.x.84
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to66.42.X.84
set peer 66.42.x.84
set transform-set ESP-3DES-SHA1
match address 104
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 38.154.x.2 255.255.255.0
ip verify unicast reverse-path
ip mask-reply
ip directed-broadcast
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface FastEthernet5
no ip address
no cdp enable
!
interface FastEthernet6
no ip address
no cdp enable
!
interface FastEthernet7
no ip address
no cdp enable
!
interface FastEthernet8
no ip address
no cdp enable
!
interface FastEthernet9
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.30.1 255.255.255.0
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 38.154.x.1
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.10.200 21 38.154.x.2 21 extendable
ip nat inside source static tcp 192.168.10.200 25 38.154.x.2 25 extendable
ip nat inside source static tcp 192.168.10.200 80 38.154.x.2 80 extendable
ip nat inside source static tcp 192.168.10.200 110 38.154.x.2 110 extendable
ip nat inside source static tcp 192.168.10.200 443 38.154.x.2 443 extendable
ip nat inside source static tcp 192.168.10.100 1494 38.154.x.2 1494 extendable
ip nat inside source static tcp 192.168.10.210 1723 38.154.x.2 1723 extendable
ip nat inside source static tcp 192.168.10.100 3389 38.154.x.2 3389 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.30.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 38.154.X.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 38.154.x.0 0.0.0.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any host 38.154.x.2 eq 3389
access-list 106 permit tcp any host 38.154.x.2 eq 1723
access-list 106 permit tcp any host 38.154.x.2 eq 1494
access-list 106 permit tcp any host 38.154.x.2 eq pop3
access-list 106 permit tcp any host 38.154.x.2 eq www
access-list 106 permit tcp any host 38.154.x.2 eq smtp
access-list 106 permit tcp any host 38.154.x.2 eq ftp
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit ahp host 66.42.x.84 host 38.154.x.2
access-list 106 permit esp host 66.42.x.84 host 38.154.x.2
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq isakmp
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq non500-isakmp
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 106 deny ip 192.168.30.0 0.0.0.255 any
access-list 106 permit icmp any host 38.154.x.2 echo-reply
access-list 106 permit icmp any host 38.154.x.2 time-exceeded
access-list 106 permit icmp any host 38.154.x.2 unreachable
access-list 106 permit tcp any host 38.154.x.2 eq 443
access-list 106 permit tcp any host 38.154.x.2 eq 22
access-list 106 permit tcp any host 38.154.x.2 eq cmd
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 deny ip any any log
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.30.0 0.0.0.255 any
access-list 107 deny ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
THAT ABOVE IS THE MAIN OFFICE CONFIGURATION
ASKER
THIS BELOW IS THE REMOTE LOCATION CONFIGURATION:..
1. i only have the 192.168.0.5 address on the cisco router for testing .. it's the only thing in the branch network right now. i'm just trying to create the vpn tunnel first, then i'll worry about the clients out there once the tunnel is established...
2. there is a netgear rp114 router between the internet conenction and the cisco router at the branch office. this router makes the connection to the internet.
ISP -> netgear router -> cisco router
66.... -> 192.168.0.1 -> 192.168.0.5
2a. do i have to create a static route to the cisco router through the netgear router
2b. if i do create a static router on the netgear router, will it mess up clients that are already on the 192.168.0.x network that use the netgear as the gateway to the internet ?
1. i only have the 192.168.0.5 address on the cisco router for testing .. it's the only thing in the branch network right now. i'm just trying to create the vpn tunnel first, then i'll worry about the clients out there once the tunnel is established...
2. there is a netgear rp114 router between the internet conenction and the cisco router at the branch office. this router makes the connection to the internet.
ISP -> netgear router -> cisco router
66.... -> 192.168.0.1 -> 192.168.0.5
2a. do i have to create a static route to the cisco router through the netgear router
2b. if i do create a static router on the netgear router, will it mess up clients that are already on the 192.168.0.x network that use the netgear as the gateway to the internet ?
ASKER
BRANCH OFFICE CONFIGURATION
Using 2596 out of 131072 bytes
!
! Last configuration change at 09:50:38 PCTime Thu Apr 27 2006 by cisco
! NVRAM config last updated at 09:50:39 PCTime Thu Apr 27 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname modesto-router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name x.us
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 192.168.0.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
modesto-router#
Using 2596 out of 131072 bytes
!
! Last configuration change at 09:50:38 PCTime Thu Apr 27 2006 by cisco
! NVRAM config last updated at 09:50:39 PCTime Thu Apr 27 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname modesto-router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name x.us
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 192.168.0.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
modesto-router#
The main office configuration looks fine. On the branch office, here is what you need:
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
exit
crypto isakmp key xxxxx address 38.154.x.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
exit
crypto map p2p_vpn 1 ipsec-isakmp
set peer 38.154.x.2
set transform-set ESP-3DES-SHA
match address 101
exit
interface FastEthernet4
crypto map p2p_vpn
exit
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
exit
crypto isakmp key xxxxx address 38.154.x.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
exit
crypto map p2p_vpn 1 ipsec-isakmp
set peer 38.154.x.2
set transform-set ESP-3DES-SHA
match address 101
exit
interface FastEthernet4
crypto map p2p_vpn
exit
ASKER
still got no connectivity here...
You said the router is behind Netgear which is the internet gateway for the rest of the network. The IP address 66.42.x.84, is that the Netgears public IP address, or is it the NAT IP address assigned to the branch router?
The reason I asked is that for this setup to work, you need to have a one is to one NAT on the Netgear router for the
branch router's IP address (192.168.0.5). Meaning, 66.42.x.84 should be mapped to 192.168.0.4. Or you can try to do port redirect on UDP 500 and UDP 4500.
The reason I asked is that for this setup to work, you need to have a one is to one NAT on the Netgear router for the
branch router's IP address (192.168.0.5). Meaning, 66.42.x.84 should be mapped to 192.168.0.4. Or you can try to do port redirect on UDP 500 and UDP 4500.
ASKER
netgear public address = 66.42.x.84
netgear private address = 192.168.0.1
cisco private address = 192.168.0.5
no public address for the cisco
netgear private address = 192.168.0.1
cisco private address = 192.168.0.5
no public address for the cisco
ASKER
on the netgear router i have the option to set a static route:
Route Name (Blank means to delete this route)
Active?
Destination IP Address 0.0.0.0
IP Subnet Mask 0.0.0.0
Gateway IP Address 0.0.0.0
Metric 0
Private ?
if i set up a static route, will this mess up the client computers that use the netgear at the default gateway to get out to the internet ??
Route Name (Blank means to delete this route)
Active?
Destination IP Address 0.0.0.0
IP Subnet Mask 0.0.0.0
Gateway IP Address 0.0.0.0
Metric 0
Private ?
if i set up a static route, will this mess up the client computers that use the netgear at the default gateway to get out to the internet ??
You don't need any static route. What you need is configure NAT on Netgear. How many public IP address do you have?
What is the exact model and version of your Netgear?
What is the exact model and version of your Netgear?
ASKER
Netgear RP114
one public ip address at the branch office.
i have an option for filters (i guess netgears way of NAT)
Menu 21.4.1 - TCP/IP Filter Rule
Filter #: 4,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #=
Port # Comp= None
Source: IP Addr=
IP Mask=
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
one public ip address at the branch office.
i have an option for filters (i guess netgears way of NAT)
Menu 21.4.1 - TCP/IP Filter Rule
Filter #: 4,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #=
Port # Comp= None
Source: IP Addr=
IP Mask=
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
That's going to be a difficult setup. If you only have one public IP assigned to Netgear, why didn't you just terminate the VPN on the Netgear itself? The problem here is that you need UDP 500 and Protocol ESP, and in most router, they don't allow NAT on Protocol ESP since it is portless.
We can try a workaround but I can't guarantee its going to work, but it is worth a shot. Instead of using ESP, we will use UDP 4500 hoping that the router on the main office will detect connection behind NAT and will allow the connection. Follow the following link for creating port redirection in your netgear.
http://kbserver.netgear.com/kb_web_files/n101145.asp#MR314Anchor
You need to redirect the following port to 192.168.0.5:
UDP 500
UDP 4500
So you need to create two redirections, if you can't find the port on the list, create the service on Netgear I believe under Security settings.
We can try a workaround but I can't guarantee its going to work, but it is worth a shot. Instead of using ESP, we will use UDP 4500 hoping that the router on the main office will detect connection behind NAT and will allow the connection. Follow the following link for creating port redirection in your netgear.
http://kbserver.netgear.com/kb_web_files/n101145.asp#MR314Anchor
You need to redirect the following port to 192.168.0.5:
UDP 500
UDP 4500
So you need to create two redirections, if you can't find the port on the list, create the service on Netgear I believe under Security settings.
ASKER
tried the port redirection..
nothing...
nothing...
Hmmm. I was reading thru the netgear knowledgebase and it says there that it should support ipsec passthrough. Can you create a service protocol using 50 and 51 then do the port redirection using these protocol. Keep in mind when you are creating the services that 50 and 51 are protocol not port, they are portless. If this doesn't work then our best bet is either getting a spare public IP for the cisco router or terminating the VPN on the netgear itself.
ASKER
we switched out the 1812 router with a 1841 router, reconfigured both ends and got it working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.