Solved

ipsec vpn through isp router

Posted on 2010-09-11
7
528 Views
Last Modified: 2012-05-10
Got a question for you; I'm not a cisco wiz. Just started playing with it.
Got a problem connecting a router to the existing network from behind a isp router. Got one public ip address from the isp (11.11.11.11), and got a cisco 2801 on the inside connecting to a existing network.

Getting this error message:
IPSEC(validate_proposal): invalid local address 192.168.1.2

192.168.1.2 is the ip address of fastethernet 0/1 wich is connected to the isp router (ZXV10) and configured as DMZ.

Heres the crypto setup:
crypto isakmp key PresharedKey address 22.22.22.22

crypto map cm-cryptomap 1 ipsec-isakmp
 description GRE IPsec Tunnel from A to B
 set peer 22.22.22.22
 set transform-set cm-transformset-1
 match address 100

interface Tunnel1
 description GRE IPsec Tunnel from A to B
 bandwidth 1536
 ip address 11.25.1.2 255.255.255.0
 tunnel source 11.11.11.11
 tunnel destination 22.22.22.22
 crypto map cm-cryptomap

interface FastEthernet0/1
description outside interface to isp
 ip address 192.168.1.2 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map cm-cryptomap

I've added the access lists and crypto to fastethernet as you can see.

Is it at all possible to do this? Or am i chasing a impossible dream?

0
Comment
Question by:Skrotpels
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33653201
HI,

If you have private outside address the tunnel not going up never....
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33653211
Please provide the configs from both sides please

Billy
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 33653215
I think your problem is that you are trying to use an IPSec tunnel over NAT while using the public address as the exit address.

If you want a site to site tunnel to run over NAT, I would suggest that you used SSL instead...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Skrotpels
ID: 33656362
Heres the config on the other side, its completely the same except oposite :)

crypto isakmp key PreSharedKey address 11.11.11.11

crypto map cm-cryptomap 1 ipsec-isakmp
 description IPsec to Site
 set peer 11.11.11.11
 set transform-set cm-transformset-1
 match address 101
 qos pre-classify

interface Tunnel29
 description IP Tunnel to Site B from Site A
 bandwidth 4096
 ip address 11.25.1.2 255.255.255.0
 ip pim sparse-mode
 shutdown
 qos pre-classify
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 crypto map cm-cryptomap


How can i change this to SSL vpn? lots of configs?
please advise as i'm a noob here
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 200 total points
ID: 33656475
Do your devices have SSL Licences ?

I'm guesing that the ISP router is a DSL device, you could try running it in bridge mode and using the Public address on your router, or if you have more than one IP, running it as a router instead of a NAT router and using your router behind it.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 300 total points
ID: 33656969
I was hoping that you would have provided the complete configs, there is not much we can do with the crypto configs, we know what the issue is; I personally like to have the configs to know what we are dealing with and to ensure that any changes/configs we provide will not overwrite anything else you might have that is important to your production network.

What you are trying to do is very common; here what what you need to do:
1. enable NAT-T (NOTE: With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.)

More information: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

2. IPsec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Make sure these are permitted appropriately, nat-t also needs port 4500/UDP open as well.

Depending on what firewall you do have, please note that 50 and 51 on number 2 are NOT port numbers but rather protocol numbers. Many SOHO routers will not have an option to forward protocol numbers. What you want to look for is an option to allow vpn passthru (VPN passthrough, I have seen them named different), in addition to the VPN passthrough, you will of course still need to port forward UDP 500 and UDP 4500 to your VPN Router. For the record, what are you port forwarding UDP 500 currently, and the protocols 50/51? What is the make and model of the router that is connected to your ISP?

Billy
0
 

Author Comment

by:Skrotpels
ID: 33705476
Thanks all for answers, in the end I got a fixed ip from the isp. So the tunnel is up again between the sites. Now i cannot ping the inside interface, but I'll create a new subject on it.

thanks
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now