Solved

Cisco 1812 site-to-site VPN with NAT on one side

Posted on 2008-10-15
2
1,867 Views
Last Modified: 2013-11-05
Hi,

We have succesfully set up a site-to-site VPN using two Cisco 1812 routers. One side (location A)connects to a SDSL 2300kbps line and the other side (location B) to a IMA4 8192kbps line. All traffic is routed correctly between the two networks and the networks behind location A.

But some servers moved from location A to location B. One server used NAT from a third ADSL-line which communicated with a third party application using port 3000. I'm not able to add some NAT traffic from location A to location B (and the specific server). But best practice would be a NAT rule for location B. How to add NAT to the configuration? Please advise....


Some information in the scripts is removed or fingered. ;)

Location A:
 
 

Building configuration...
 

Current configuration : 6347 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RTR1812SBK

!

***** Some PKI stuff removed

!

!

ip cef

!

!

ip domain name mydomain.local

ip name-server 40.40.33.50

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username admin privilege 15 secret 5 $8374893729734927342384

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key MyP4ssw0rd address 83.80.27.70

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 set peer 70.70.27.70

 set transform-set ESP-3DES-SHA 

 match address 100

!

archive

 log config

  hidekeys

!

!

no ip rcmd domain-lookup

ip rcmd rcp-enable

ip rcmd remote-host sdmR8a79ff56 192.168.1.234 L8a79ff56 enable

ip rcmd remote-username sdmR8a79ff56

!

!

!

interface FastEthernet0

 description $ETH-LAN$

 ip address 40.40.195.74 255.255.255.252

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 duplex auto

 speed auto

 crypto map SDM_CMAP_1

!

interface FastEthernet1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface BRI0

 no ip address

 encapsulation hdlc

 shutdown

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

 ip address 192.168.1.254 255.255.255.0

 ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 40.40.195.73

ip route 172.17.0.0 255.255.255.0 192.168.7.254

ip route 192.168.2.0 255.255.255.0 192.168.1.243

ip route 192.168.3.0 255.255.255.0 192.168.1.243

ip route 192.168.4.0 255.255.255.0 192.168.1.245

ip route 192.168.6.0 255.255.255.0 192.168.1.243

ip route 192.168.7.0 255.255.255.0 FastEthernet0

ip route 192.168.9.0 255.255.255.0 192.168.1.243

ip route 192.168.10.0 255.255.255.0 192.168.1.243

ip route 192.168.11.0 255.255.255.0 192.168.1.243

ip route 192.168.12.0 255.255.255.0 192.168.1.243

ip route 192.168.13.0 255.255.255.0 192.168.1.243

ip route 192.168.14.0 255.255.255.0 192.168.1.243

ip route 192.168.19.0 255.255.255.0 192.168.1.245

ip route 192.168.21.0 255.255.255.0 192.168.1.245

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended CTrack3000

 remark C-Track Traffic

 remark SDM_ACL Category=2

 permit tcp any host 192.168.7.10 eq 3000

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.11.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.14.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.19.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.17.0.0 0.0.0.255 192.168.7.0 0.0.0.255

snmp-server community public RO

no cdp run

!

!

!

!

!

!

control-plane

!

banner login ^CC

-------------------------------------------------------

 Transfer agent build 1005 : Sch-Crs (08/09/09 10:36)

-------------------------------------------------------

^C

!

line con 0

 login local

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input ssh

line vty 5 15

 privilege level 15

 login local

 transport input ssh

!

end

---------------------------------------------------------------
 

Location B
 
 

Building configuration...
 

Current configuration : 7272 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RTR1812CRS

!

***** Some PKI stuff removed

!

!

ip cef

!

!

ip domain name mydomain.local

ip name-server 50.50.215.226

ip name-server 50.50.215.227

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username admin privilege 15 secret 5 $3459u3489573490503458

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key MyP4ssw0rd address 40.40.195.74

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 set peer 40.40.195.74

 set transform-set ESP-3DES-SHA 

 match address 120

!

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

 description $ETH-LAN$

 ip address 50.50.27.70 255.255.255.128

 ip nat outside

 ip virtual-reassembly

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 duplex auto

 speed auto

 crypto map SDM_CMAP_1

!

interface FastEthernet1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface BRI0

 no ip address

 encapsulation hdlc

 shutdown

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

 ip address 192.168.7.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 50.50.27.4

ip route 192.168.1.0 255.255.255.0 FastEthernet0

ip route 192.168.2.0 255.255.255.0 192.168.1.243

ip route 192.168.3.0 255.255.255.0 192.168.1.243

ip route 192.168.4.0 255.255.255.0 192.168.1.245

ip route 192.168.6.0 255.255.255.0 192.168.1.243

ip route 192.168.9.0 255.255.255.0 192.168.1.243

ip route 192.168.10.0 255.255.255.0 192.168.1.243

ip route 192.168.11.0 255.255.255.0 192.168.1.243

ip route 192.168.12.0 255.255.255.0 192.168.1.243

ip route 192.168.13.0 255.255.255.0 192.168.1.243

ip route 192.168.14.0 255.255.255.0 192.168.1.243

ip route 192.168.19.0 255.255.255.0 192.168.1.245

ip route 192.168.21.0 255.255.255.0 192.168.1.245

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 120 remark SDM_ACL Category=4

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 120 remark IPSec Rule

access-list 120 permit ip 192.168.7.0 0.0.0.255 172.17.0.0 0.0.0.255

snmp-server community public RO

no cdp run

!

!

!

!

!

!

control-plane

!

banner login ^CC

-------------------------------------------------------

 Transfer agent build 7011 : Crs-Sch (08/10/11-12:01)

-------------------------------------------------------

^C

!

line con 0

 login local

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input ssh

line vty 5 15

 privilege level 15

 login local

 transport input ssh

!

end

Open in new window

0
Comment
Question by:DSEServices
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 22721458
If I understand you correctly, you want to use the same public IP static that you have at site A on another connection, but map it to the same server that is now located on siteB which is connected over a VPN tunnel to siteA... This would have to involve configurations on all 3 routers

instead of creating a mess of a configuration that is difficult to troubleshoot, why can't you just create a new nat static directly at siteB and tell the 3rd party that they now have a new IP address to use?
 ip nat inside source static tcp 192.168.7.xxx 3000 50.50.27.77 3000
0
 
LVL 1

Author Closing Comment

by:DSEServices
ID: 31506243
Thanks for your solution. I forgot to mention the NAT at site B was the preferred way. Such simple solution, I was almost there. ;)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now