Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 951
  • Last Modified:

VPN through Cisco 1720 to ISA 2006

I have a Cisco 1720 router in front of a ISA 2006.  I want to create a VPN site-to-site from a branch office using a Linksys RVS4000 (IPSec) to the ISA 2006.  The external IP address of the Linksys is 71.91.94.71, the external IP address of the ISA (in the 1720) is 216.85.242.85, which is nat to 192.9.200.2.  Everytime I try to create a tunnel to the ISA, the tunnel is not created.  On the Linksys VPN log, I get the following:

Main mode peer ID is ID_IPV4_ADDR: '192.9.200.2'
we require peer to have ID '216.85.242.85', but peer declares '192.9.200.2'

Is there a way I can change the peer ID in the Cisco, so the traffic is passed to the ISA?  Like an alias?
0
john_fugazi
Asked:
john_fugazi
  • 10
  • 8
  • 3
1 Solution
 
dpk_walCommented:
Configure your 1720 router to do one-to-one NAT for your ISA server; then any outgoing traffic from ISA would go out using that public IP address only and not the NAT IP. Specify the same public IP as remote gateway on linksys and the VPN tunnel should come up.

You need to have multiple public IP addresses.

Please look at the example below:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml
0
 
rsivanandanCommented:
Is the ip 216.85.242.85 assigned to the outside wan interface on the 1720 ? If you could post the config (sanitized -> remove passwords and remove any one of the octects from the public ip), then it would be easy to work on this one.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
here is the config file.

version 12.0            
service timestamps debug uptime                              
service timestamps log uptime                            
no service password-encryption                              
!
hostname router                  
!
enable secret 5 $1$ejYQ$PumDTjKsIG1                                              
enable password xxxxxxx                        
!
ip subnet-zero              
no ip domain-lookup                  
ip name-server 207.191.50.10                            
ip name-server 207.191.1.10                          
!
!
!
!
interface Serial0                
 bandwidth 10000000                  
 ip address 216.85.xxx.70 255.255.255.252                                        
 ip access-group 100 in                      
 ip access-group 105 out                        
 no ip directed-broadcast                        
 ip nat outside              
 encapsulation ppp                  
 fair-queue 64 256 0                    
 service-module t1 remote-alarm-enable                                      
!
interface FastEthernet0                      
 description connected to EthernetLAN                                    
 bandwidth 10000000                  
 ip address 192.9.200.1 255.255.255.0                                    
 no ip directed-broadcast                        
 ip nat inside              
 full-duplex            
!
router rip          
 version 2          
 network 192.9.200.0                    
 no auto-summary                
!
ip nat inside source static 192.9.200.2 216.85.xxx.85
ip classless
ip route 0.0.0.0 0.0.0.0 216.85.xxx.69
ip http server
!
snmp-server engineID local 0000000902000050547CFFF0
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 login
 transport input none
line aux 0
line vty 0
 password xxxxxxx
 login
line vty 1 4
 login
!
end
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
rsivanandanCommented:
>>ip access-group 100 in                      
>>ip access-group 105 out

Both the above access-lists are not there in the config, so for the time being can you just remove them and see if it works ?

As well;


>>ip address 216.85.xxx.70 255.255.255.252  

and

>>ip route 0.0.0.0 0.0.0.0 216.85.xxx.69

Doesn't look like they're in the correct subnet unless I'm am banging my head!

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
OK.  here is a corrected config file:

version 12.0            
service timestamps debug uptime                              
service timestamps log uptime                            
no service password-encryption                              
!
hostname router                  
!
enable secret 5 $1$ejYQ$PumDTjKsIG1                                              
enable password xxxxxxx                        
!
ip subnet-zero              
no ip domain-lookup                  
ip name-server 207.191.50.10                            
ip name-server 207.191.1.10                          
!
!
!
!
interface Serial0                
 bandwidth 10000000                  
 ip address 216.85.xxx.82 255.255.255.248                                      
 no ip directed-broadcast                        
 ip nat outside              
 encapsulation ppp                  
 fair-queue 64 256 0                    
 service-module t1 remote-alarm-enable                                      
!
interface FastEthernet0                      
 description connected to EthernetLAN                                    
 bandwidth 10000000                  
 ip address 192.9.200.1 255.255.255.0                                    
 no ip directed-broadcast                        
 ip nat inside              
 full-duplex            
!
router rip          
 version 2          
 network 192.9.200.0                    
 no auto-summary                
!
ip nat inside source static 192.9.200.2 216.85.xxx.85
ip classless
ip route 0.0.0.0 0.0.0.0 216.85.xxx.81
ip http server
!
snmp-server engineID local 0000000902000050547CFFF0
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 login
 transport input none
line aux 0
line vty 0
 password xxxxxxx
 login
line vty 1 4
 login
!
end

********************
note, i took out the ip access-group.  but i still cannot get it connected.  
i also tried the "ip nat outside", but i have a question do i also need to add a "ip nat inside" that matches.  for example:  ip nat inside source static 192.9.200.2 216.85.xxx.82
                      ip nat outside source static 216.85.xxx.82 192.9.200.2

0
 
rsivanandanCommented:
No you don't need that.

What port is open in ISA ? probably http ? If so, from the internet can you do this;

telnet 216.85.xxx.82 <port number> and see if you're connected ? Any open port is fine.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
i gave it a try on port 80 from home.  i will assume it did go because if i type something, says "hello", and hit return i get back html code.
0
 
rsivanandanCommented:
OH yeah, then it is working :-)

So nat is up now and that is why you get connected.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
yes.  its alway up.
0
 
dpk_walCommented:
Are you able to get the VPN tunnel up now.
0
 
john_fugaziAuthor Commented:
no.
0
 
dpk_walCommented:
Have the configuration changed helped anything? Do you get any different logs than before? Would request  more details on the current status of the problem.

Thank you.
0
 
john_fugaziAuthor Commented:
can i use the bridge command to use the public ip?

I have a T1 line coming in that is why i have the Cisco router, if i got rid of it and got something like a gateway will that do it?

will the "ip nat outside" work and if so do i also use the "ip nat inside"?

what are my choices?

0
 
rsivanandanCommented:
John,

  Now the nat is enabled right ? and still the vpn is not coming up ? What are the logs for failure ?

Let the router be there since you have ip addresses.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
I installed a Windows 2000 with ISA 2000 for the branch office instead of the RVS4000.  with this, i am using ptpp to create a vpn site-to-site to our main office.  instead of taking this to the branch, i am testing it here.  

in the cisco 1720 router, i entered "ip nat inside source static 192.9.200.3 216.85.xxx.83" for the ISA 2000.  everything works like it is suppose to if i connect using the 192.9.200.2 to connect to 192.9.200.3.  if i configure the ISA 2000 to connect to 216.85.xxx.82 and the ISA 2006 to connect to 216.85.xxx.83, it does not work.

can i do it this way?  and if so is there a way i can view a log to determined where it is going wrong?
0
 
john_fugaziAuthor Commented:
one more thing.  my internal ip addresses are 192.168.1.0-255.  should my router's ip address be on the same ip addresses as my internal?  will this help?
0
 
rsivanandanCommented:
I can't help you with ISA since I don't have experience with that. But the configuration should work, but there are few problems;

The remote office and corporate office end you're using same ip block ? 216.85.xxx.82 and 83 are allocated to the site on which we were working till now, but you can't use one of the ip from this on the remote site.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
so i can't use 216.85.xxx.82 and 83 for testing purposes.  i just don't feel like driving to the branch office to find out that it did not work.
0
 
rsivanandanCommented:
Hope you're getting what I'm saying :-) The site A is given that ip range, similarly site B should've also be given some public ip address range. So you just have to find out that, once you have that then you could use that to configure the other end with that ip address and thats it.

Cheers,
Rajesh
0
 
john_fugaziAuthor Commented:
I rechecked the settings in the Cisco to make sure everything was according to what you had said (Rajesh).  then i went back out to the branch office and installed everything.  i must say that everything works.  i was able to vpn to the ISA 2006 with the branch office having the configuration of Win2003 with ISA 2000.  I was not able to connect with the branch office having the configuration of WIn2000 with ISA 2000.  so i guess i will use the Win2003 with ISA 2000.

thanks for all your help.
0
 
rsivanandanCommented:
Okay, it is probably with the connection difference between 2003 and 2000. Glad you got it working now.

Cheers,
Rajesh
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now