Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco VPN Site to Site with NAT

Posted on 2008-11-17
21
Medium Priority
?
1,548 Views
Last Modified: 2012-05-05
I am having a problem trying to get this site to site VPN up and running. The NAT part is throwing me for a loop as I cannot get it working. We are connecting to a Cisco Concentrator from a PIX (our side). Our internal ip address is 192.168.1.x. We must create a VPN to the Concentrator via natting any interesting traffic, below is the information we received from the company that is configuring the Concentrator:

Our endpoint is: 66.179.80.109
Our network is: 192.168.50.0 (255.255.255.0)

you will need to make ACL from 172.24.105.2 to host 192.168.50.83 and 192.168.50.86
you will need to NAT interesting traffic to 172.24.105.0 255.255.255.0

I've created two ACL's exactly like the mentioned above. I've made so many changes now my head is swimming - nothing worked. Help would be great. Below is code I think is pertinent.

access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list 105 permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list conditional_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list 106 permit ip host 172.24.105.2 host 192.168.50.83 
access-list 107 permit ip host 172.24.105.2 host 192.168.50.86 
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 70.60.232.63 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.50.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 172.24.105.2 netmask 255.255.255.0
nat (inside) 3 access-list conditional_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Open in new window

0
Comment
Question by:dsechrist
  • 11
  • 10
21 Comments
 
LVL 5

Expert Comment

by:wilsj
ID: 22981951
If i'm reading it correctly you want to nat 192.168.1.0 to 172.25.105.0.

access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

static (inside,outside) 172.25.105.0 access-list 104_nat


also add this to your isakmp pre-shared key

isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22981954
The other end will have to match this as well so if they just allow the whole 172.24.105.0/24 network you should be good to go.
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22981994
I think that is my problem - I don't think they allow the whole 172.24.105.0/24 network. The reason I say this is because we have a configuration we used for another setup we did with the same company about a year ago and it did allow the entire range (different NATTED range) - we took that configuration and modified it to fit this network and it doesn't work. I think they are only allowing the 172.24.105.2 to come across. I had the commands above in the configuration originally and no luck.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
LVL 5

Expert Comment

by:wilsj
ID: 22982048
ok then simply add another 2 ACL's for a different host so instead of above try this. This will allow host 192.168.1.2 to be natted to 172.24.105.2. 1 to 1 nat you can also do a many to 1 nat.

access-list 104 permit ip 172.24.105.2 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.2 255.255.255.0 192.168.50.0 255.255.255.0

static (inside,outside) 172.25.105.2 access-list 104_nat

Many to 1 nat

access-list 104 permit ip 172.24.105.2 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 1 access-list 104_nat
global (outside) 172.24.105.2

0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982154
Maybe this will help - ISAKMP debug file

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type I
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: drop P2 msg on unauthenticated SA

ISAKMP (0): deleting SA: src 70.60.232.62, dst 66.179.80.109
ISADB: reaper checking SA 0xbb7c84, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 66.179.80.109/500 not found - peers:0
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982209
can post what you have in your config so far.

did you add this to your isakmp pre-shared key line?

no-xauth no-config-mode
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982223
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 105 permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 70.60.232.63 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.50.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 172.24.105.2
nat (inside) 3 access-list 104_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400



 

0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982237
you don't need access-list 105.

also change access-list 104

access-list 104 permit ip host 172.24.105.2 host 192.168.50.83
access-list 104 permit ip host 172.24.105.2 host 192.168.50.86
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982268
Okay, made those changes and now I don't get anything. Before the changes I was getting the IKE tunnel to come up.
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982282
Sorry, I forgot to go back in and add the crypto map transam 1 match address 104 because it took it out when I removed the ACL's. I now get the IKE Tunnel come up but the ISAKMP logging shows the same messages as above.
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982283
repost your config. did you keep the access-list 104_nat?
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982300
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 104 permit ip host 172.24.105.2 host 192.168.50.83
access-list 104 permit ip host 172.24.105.2 host 192.168.50.86
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
global (outside) 1 interface
global (outside) 3 172.24.105.2
nat (inside) 3 access-list 104_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400


0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982306
The config you have is correct we just have to make sure they are making a mirror image of what you have on the other end.

also just to make sure the set peer ip you have above 66.179.80.109 is their vpn concentrator correct?
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982316
Yes, that is their vpn concentrator
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982347
ok, so we just have to make sure it is a mirror image of what you have and that should do it.
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982363
Easier said than done - been trying to get them to do that for 3 months now. I am curious what the ISAKMP: phase 1 packet is a duplicate of a previous packet message is? I've looked it up and can't any answers to what it means.
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22982376
i think that happens when something isn't configured right. But you'll see other messages also. a couple debugs you can run are

deb icmp trace (use when pinging a host from your network)
deb crypto isakmp 10 (detailed phase 1/2 traffic)
0
 
LVL 1

Author Comment

by:dsechrist
ID: 22982498
One last thing - when I add the global (outside) 3 172.24.105.2 it returns a message that says it will be Port Address Translated (PAT). Could this be an issue?
0
 
LVL 5

Accepted Solution

by:
wilsj earned 2000 total points
ID: 22984727
this will not be an issue. it will allow the traffic specified.
0
 
LVL 1

Author Closing Comment

by:dsechrist
ID: 31517717
Thanks wilsj for all the help. Problem was on the other end - we did have to make some additional changes but they were simple once they admitted they had made a mistake in their configuration. Again, thanks for all the help!1
0
 
LVL 5

Expert Comment

by:wilsj
ID: 22989803
glad to help. thanks for the points.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

804 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question