asked on
Cisco 851 router policy nat and vpn
Hello,
I'm trying to setup a VPN tunnel from a Cisco 851 router.
Definition of problem is in attached pdf file.
LAN is 57.51.84.0/27 - I know these are public IP addresses but it is so.
I'm able to ping to 10.166.15.3 host but not to 57.8.0.07/16 network from LAN.
Please find the configuration I'm using below.
Thank you in advance for your effort.
Config starts here :
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-XXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
certificate self-signed 01
[Deleted]
quit
no ip source-route
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name lathiongroup.ch
ip name-server 213.221.128.240
!
!
!
username latcisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.XXX.XXX.XXX
set peer XXX.XXX.XXX.XXX
set transform-set tset1
match address 105
!
archive
log config
hidekeys
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address dhcp
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 57.51.84.30 255.255.255.224
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 57.51.84.32 255.255.255.240 57.52.84.28
ip route 57.51.84.48 255.255.255.240 57.52.84.28
ip route 57.51.84.80 255.255.255.240 57.52.84.28
ip route 57.51.84.96 255.255.255.240 57.52.84.28
ip route 57.51.84.112 255.255.255.240 57.51.84.28
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool MON 10.170.183.41 10.170.183.41 netmask 255.255.255.240
ip nat pool UM 10.170.183.35 10.170.183.35 netmask 255.255.255.240
ip nat pool MONT 10.170.183.40 10.170.183.40 netmask 255.255.255.240
ip nat pool DPS3 10.170.183.38 10.170.183.38 netmask 255.255.255.240
ip nat pool DPS2 10.170.183.37 10.170.183.37 netmask 255.255.255.240
ip nat pool SIE 10.170.183.39 10.170.183.39 netmask 255.255.255.240
ip nat pool DPS1 10.170.183.36 10.170.183.36 netmask 255.255.255.240
ip nat pool GAL 10.170.183.34 10.170.183.34 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 pool GAL
ip nat inside source route-map SDM_RMAP_3 pool DPS1
ip nat inside source route-map SDM_RMAP_4 pool UM
ip nat inside source route-map SDM_RMAP_5 pool DPS2
ip nat inside source route-map SDM_RMAP_6 pool DPS3
ip nat inside source route-map SDM_RMAP_7 pool SIE
ip nat inside source route-map SDM_RMAP_8 pool MON
ip nat inside source route-map SDM_RMAP_9 pool MONT
!
logging trap critical
access-list 103 remark NAT for Internet
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 57.51.84.0 0.0.0.127 host 10.166.15.3
access-list 103 deny ip 57.51.84.0 0.0.0.127 57.8.0.0 0.0.255.255
access-list 103 permit ip 57.51.84.0 0.0.0.127 any
access-list 104 remark NAT VPN
access-list 104 remark SDM_ACL Category=2
access-list 104 permit ip 57.51.84.0 0.0.0.127 57.8.0.0 0.0.255.255
access-list 104 permit ip 57.51.84.0 0.0.0.127 host 10.166.15.3
access-list 105 remark IPSEC NAT GAL
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.170.183.32 0.0.0.15 host 10.166.15.3
access-list 105 permit ip 10.170.183.32 0.0.0.15 57.8.0.0 0.0.255.255
access-list 106 remark DPS1
access-list 106 remark SDM_ACL Category=2
access-list 106 permit ip host 57.51.84.9 host 10.166.15.3
access-list 106 permit ip host 57.51.84.9 57.8.0.0 0.0.255.255
access-list 107 remark Umbrella
access-list 107 remark SDM_ACL Category=2
access-list 107 permit ip host 57.51.84.17 host 10.166.15.3
access-list 107 permit ip host 57.51.84.17 57.8.0.0 0.0.255.255
access-list 108 remark DPS2
access-list 108 remark SDM_ACL Category=2
access-list 108 permit ip host 57.51.84.16 host 10.166.15.3
access-list 108 permit ip host 57.51.84.16 57.8.0.0 0.0.255.255
access-list 109 remark SDM_ACL Category=2
access-list 109 permit ip host 57.51.84.20 host 10.166.15.3
access-list 109 permit ip host 57.51.84.20 57.8.0.0 0.0.255.255
access-list 110 remark SIE
access-list 110 remark SDM_ACL Category=2
access-list 110 permit ip host 57.51.84.55 host 10.166.15.3
access-list 110 permit ip host 57.51.84.55 57.8.0.0 0.0.255.255
access-list 111 remark MON
access-list 111 remark SDM_ACL Category=2
access-list 111 permit ip host 57.51.84.103 host 10.166.15.3
access-list 111 permit ip host 57.51.84.103 57.8.0.0 0.0.255.255
access-list 112 remark MONT
access-list 112 remark SDM_ACL Category=2
access-list 112 permit ip host 57.51.84.87 host 10.166.15.3
access-list 112 permit ip host 57.51.84.87 57.8.0.0 0.0.255.255
no cdp run
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_5 permit 1
match ip address 108
!
route-map SDM_RMAP_6 permit 1
match ip address 109
!
route-map SDM_RMAP_7 permit 1
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 106
!
route-map SDM_RMAP_8 permit 1
match ip address 111
!
route-map SDM_RMAP_9 permit 1
match ip address 112
!
!
control-plane
!
banner exec ^CCCC
% Password expiration warning.
--------------------------
blah
--------------------------
^C
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
problem-def.pdf
I'm trying to setup a VPN tunnel from a Cisco 851 router.
Definition of problem is in attached pdf file.
LAN is 57.51.84.0/27 - I know these are public IP addresses but it is so.
I'm able to ping to 10.166.15.3 host but not to 57.8.0.07/16 network from LAN.
Please find the configuration I'm using below.
Thank you in advance for your effort.
Config starts here :
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-XXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
certificate self-signed 01
[Deleted]
quit
no ip source-route
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name lathiongroup.ch
ip name-server 213.221.128.240
!
!
!
username latcisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.XXX.XXX.XXX
set peer XXX.XXX.XXX.XXX
set transform-set tset1
match address 105
!
archive
log config
hidekeys
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address dhcp
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 57.51.84.30 255.255.255.224
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 57.51.84.32 255.255.255.240 57.52.84.28
ip route 57.51.84.48 255.255.255.240 57.52.84.28
ip route 57.51.84.80 255.255.255.240 57.52.84.28
ip route 57.51.84.96 255.255.255.240 57.52.84.28
ip route 57.51.84.112 255.255.255.240 57.51.84.28
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool MON 10.170.183.41 10.170.183.41 netmask 255.255.255.240
ip nat pool UM 10.170.183.35 10.170.183.35 netmask 255.255.255.240
ip nat pool MONT 10.170.183.40 10.170.183.40 netmask 255.255.255.240
ip nat pool DPS3 10.170.183.38 10.170.183.38 netmask 255.255.255.240
ip nat pool DPS2 10.170.183.37 10.170.183.37 netmask 255.255.255.240
ip nat pool SIE 10.170.183.39 10.170.183.39 netmask 255.255.255.240
ip nat pool DPS1 10.170.183.36 10.170.183.36 netmask 255.255.255.240
ip nat pool GAL 10.170.183.34 10.170.183.34 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 pool GAL
ip nat inside source route-map SDM_RMAP_3 pool DPS1
ip nat inside source route-map SDM_RMAP_4 pool UM
ip nat inside source route-map SDM_RMAP_5 pool DPS2
ip nat inside source route-map SDM_RMAP_6 pool DPS3
ip nat inside source route-map SDM_RMAP_7 pool SIE
ip nat inside source route-map SDM_RMAP_8 pool MON
ip nat inside source route-map SDM_RMAP_9 pool MONT
!
logging trap critical
access-list 103 remark NAT for Internet
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 57.51.84.0 0.0.0.127 host 10.166.15.3
access-list 103 deny ip 57.51.84.0 0.0.0.127 57.8.0.0 0.0.255.255
access-list 103 permit ip 57.51.84.0 0.0.0.127 any
access-list 104 remark NAT VPN
access-list 104 remark SDM_ACL Category=2
access-list 104 permit ip 57.51.84.0 0.0.0.127 57.8.0.0 0.0.255.255
access-list 104 permit ip 57.51.84.0 0.0.0.127 host 10.166.15.3
access-list 105 remark IPSEC NAT GAL
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.170.183.32 0.0.0.15 host 10.166.15.3
access-list 105 permit ip 10.170.183.32 0.0.0.15 57.8.0.0 0.0.255.255
access-list 106 remark DPS1
access-list 106 remark SDM_ACL Category=2
access-list 106 permit ip host 57.51.84.9 host 10.166.15.3
access-list 106 permit ip host 57.51.84.9 57.8.0.0 0.0.255.255
access-list 107 remark Umbrella
access-list 107 remark SDM_ACL Category=2
access-list 107 permit ip host 57.51.84.17 host 10.166.15.3
access-list 107 permit ip host 57.51.84.17 57.8.0.0 0.0.255.255
access-list 108 remark DPS2
access-list 108 remark SDM_ACL Category=2
access-list 108 permit ip host 57.51.84.16 host 10.166.15.3
access-list 108 permit ip host 57.51.84.16 57.8.0.0 0.0.255.255
access-list 109 remark SDM_ACL Category=2
access-list 109 permit ip host 57.51.84.20 host 10.166.15.3
access-list 109 permit ip host 57.51.84.20 57.8.0.0 0.0.255.255
access-list 110 remark SIE
access-list 110 remark SDM_ACL Category=2
access-list 110 permit ip host 57.51.84.55 host 10.166.15.3
access-list 110 permit ip host 57.51.84.55 57.8.0.0 0.0.255.255
access-list 111 remark MON
access-list 111 remark SDM_ACL Category=2
access-list 111 permit ip host 57.51.84.103 host 10.166.15.3
access-list 111 permit ip host 57.51.84.103 57.8.0.0 0.0.255.255
access-list 112 remark MONT
access-list 112 remark SDM_ACL Category=2
access-list 112 permit ip host 57.51.84.87 host 10.166.15.3
access-list 112 permit ip host 57.51.84.87 57.8.0.0 0.0.255.255
no cdp run
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_5 permit 1
match ip address 108
!
route-map SDM_RMAP_6 permit 1
match ip address 109
!
route-map SDM_RMAP_7 permit 1
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 106
!
route-map SDM_RMAP_8 permit 1
match ip address 111
!
route-map SDM_RMAP_9 permit 1
match ip address 112
!
!
control-plane
!
banner exec ^CCCC
% Password expiration warning.
--------------------------
blah
--------------------------
^C
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
problem-def.pdf
Routers
Last Comment
Blaise Fournier