Solved

Cisco 1812 site-to-site VPN with NAT on one side

Posted on 2008-10-15
2
1,872 Views
Last Modified: 2013-11-05
Hi,

We have succesfully set up a site-to-site VPN using two Cisco 1812 routers. One side (location A)connects to a SDSL 2300kbps line and the other side (location B) to a IMA4 8192kbps line. All traffic is routed correctly between the two networks and the networks behind location A.

But some servers moved from location A to location B. One server used NAT from a third ADSL-line which communicated with a third party application using port 3000. I'm not able to add some NAT traffic from location A to location B (and the specific server). But best practice would be a NAT rule for location B. How to add NAT to the configuration? Please advise....


Some information in the scripts is removed or fingered. ;)

Location A:
 
 
Building configuration...
 
Current configuration : 6347 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR1812SBK
!
***** Some PKI stuff removed
!
!
ip cef
!
!
ip domain name mydomain.local
ip name-server 40.40.33.50
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $8374893729734927342384
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MyP4ssw0rd address 83.80.27.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer 70.70.27.70
 set transform-set ESP-3DES-SHA 
 match address 100
!
archive
 log config
  hidekeys
!
!
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd remote-host sdmR8a79ff56 192.168.1.234 L8a79ff56 enable
ip rcmd remote-username sdmR8a79ff56
!
!
!
interface FastEthernet0
 description $ETH-LAN$
 ip address 40.40.195.74 255.255.255.252
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 192.168.1.254 255.255.255.0
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 40.40.195.73
ip route 172.17.0.0 255.255.255.0 192.168.7.254
ip route 192.168.2.0 255.255.255.0 192.168.1.243
ip route 192.168.3.0 255.255.255.0 192.168.1.243
ip route 192.168.4.0 255.255.255.0 192.168.1.245
ip route 192.168.6.0 255.255.255.0 192.168.1.243
ip route 192.168.7.0 255.255.255.0 FastEthernet0
ip route 192.168.9.0 255.255.255.0 192.168.1.243
ip route 192.168.10.0 255.255.255.0 192.168.1.243
ip route 192.168.11.0 255.255.255.0 192.168.1.243
ip route 192.168.12.0 255.255.255.0 192.168.1.243
ip route 192.168.13.0 255.255.255.0 192.168.1.243
ip route 192.168.14.0 255.255.255.0 192.168.1.243
ip route 192.168.19.0 255.255.255.0 192.168.1.245
ip route 192.168.21.0 255.255.255.0 192.168.1.245
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended CTrack3000
 remark C-Track Traffic
 remark SDM_ACL Category=2
 permit tcp any host 192.168.7.10 eq 3000
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.11.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.14.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.19.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.17.0.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community public RO
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CC
-------------------------------------------------------
 Transfer agent build 1005 : Sch-Crs (08/09/09 10:36)
-------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
end
---------------------------------------------------------------
 
Location B
 
 
Building configuration...
 
Current configuration : 7272 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR1812CRS
!
***** Some PKI stuff removed
!
!
ip cef
!
!
ip domain name mydomain.local
ip name-server 50.50.215.226
ip name-server 50.50.215.227
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $3459u3489573490503458
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MyP4ssw0rd address 40.40.195.74
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer 40.40.195.74
 set transform-set ESP-3DES-SHA 
 match address 120
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-LAN$
 ip address 50.50.27.70 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.50.27.4
ip route 192.168.1.0 255.255.255.0 FastEthernet0
ip route 192.168.2.0 255.255.255.0 192.168.1.243
ip route 192.168.3.0 255.255.255.0 192.168.1.243
ip route 192.168.4.0 255.255.255.0 192.168.1.245
ip route 192.168.6.0 255.255.255.0 192.168.1.243
ip route 192.168.9.0 255.255.255.0 192.168.1.243
ip route 192.168.10.0 255.255.255.0 192.168.1.243
ip route 192.168.11.0 255.255.255.0 192.168.1.243
ip route 192.168.12.0 255.255.255.0 192.168.1.243
ip route 192.168.13.0 255.255.255.0 192.168.1.243
ip route 192.168.14.0 255.255.255.0 192.168.1.243
ip route 192.168.19.0 255.255.255.0 192.168.1.245
ip route 192.168.21.0 255.255.255.0 192.168.1.245
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 120 remark SDM_ACL Category=4
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.7.0 0.0.0.255 172.17.0.0 0.0.0.255
snmp-server community public RO
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CC
-------------------------------------------------------
 Transfer agent build 7011 : Crs-Sch (08/10/11-12:01)
-------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
end

Open in new window

0
Comment
Question by:DSEServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 22721458
If I understand you correctly, you want to use the same public IP static that you have at site A on another connection, but map it to the same server that is now located on siteB which is connected over a VPN tunnel to siteA... This would have to involve configurations on all 3 routers

instead of creating a mess of a configuration that is difficult to troubleshoot, why can't you just create a new nat static directly at siteB and tell the 3rd party that they now have a new IP address to use?
 ip nat inside source static tcp 192.168.7.xxx 3000 50.50.27.77 3000
0
 
LVL 1

Author Closing Comment

by:DSEServices
ID: 31506243
Thanks for your solution. I forgot to mention the NAT at site B was the preferred way. Such simple solution, I was almost there. ;)
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505's for VPN study 15 58
Where is running-config located at in ASR9K? 3 25
Syslog-ng works. Now what? How to filter and manage? 8 90
VPN problems 4 62
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question