[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 540
  • Last Modified:

ipsec vpn through isp router

Got a question for you; I'm not a cisco wiz. Just started playing with it.
Got a problem connecting a router to the existing network from behind a isp router. Got one public ip address from the isp (11.11.11.11), and got a cisco 2801 on the inside connecting to a existing network.

Getting this error message:
IPSEC(validate_proposal): invalid local address 192.168.1.2

192.168.1.2 is the ip address of fastethernet 0/1 wich is connected to the isp router (ZXV10) and configured as DMZ.

Heres the crypto setup:
crypto isakmp key PresharedKey address 22.22.22.22

crypto map cm-cryptomap 1 ipsec-isakmp
 description GRE IPsec Tunnel from A to B
 set peer 22.22.22.22
 set transform-set cm-transformset-1
 match address 100

interface Tunnel1
 description GRE IPsec Tunnel from A to B
 bandwidth 1536
 ip address 11.25.1.2 255.255.255.0
 tunnel source 11.11.11.11
 tunnel destination 22.22.22.22
 crypto map cm-cryptomap

interface FastEthernet0/1
description outside interface to isp
 ip address 192.168.1.2 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map cm-cryptomap

I've added the access lists and crypto to fastethernet as you can see.

Is it at all possible to do this? Or am i chasing a impossible dream?

0
Skrotpels
Asked:
Skrotpels
  • 2
  • 2
  • 2
  • +1
2 Solutions
 
Istvan KalmarCommented:
HI,

If you have private outside address the tunnel not going up never....
0
 
rfc1180Commented:
Please provide the configs from both sides please

Billy
0
 
ArneLoviusCommented:
I think your problem is that you are trying to use an IPSec tunnel over NAT while using the public address as the exit address.

If you want a site to site tunnel to run over NAT, I would suggest that you used SSL instead...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
SkrotpelsAuthor Commented:
Heres the config on the other side, its completely the same except oposite :)

crypto isakmp key PreSharedKey address 11.11.11.11

crypto map cm-cryptomap 1 ipsec-isakmp
 description IPsec to Site
 set peer 11.11.11.11
 set transform-set cm-transformset-1
 match address 101
 qos pre-classify

interface Tunnel29
 description IP Tunnel to Site B from Site A
 bandwidth 4096
 ip address 11.25.1.2 255.255.255.0
 ip pim sparse-mode
 shutdown
 qos pre-classify
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 crypto map cm-cryptomap


How can i change this to SSL vpn? lots of configs?
please advise as i'm a noob here
0
 
ArneLoviusCommented:
Do your devices have SSL Licences ?

I'm guesing that the ISP router is a DSL device, you could try running it in bridge mode and using the Public address on your router, or if you have more than one IP, running it as a router instead of a NAT router and using your router behind it.
0
 
rfc1180Commented:
I was hoping that you would have provided the complete configs, there is not much we can do with the crypto configs, we know what the issue is; I personally like to have the configs to know what we are dealing with and to ensure that any changes/configs we provide will not overwrite anything else you might have that is important to your production network.

What you are trying to do is very common; here what what you need to do:
1. enable NAT-T (NOTE: With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.)

More information: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

2. IPsec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Make sure these are permitted appropriately, nat-t also needs port 4500/UDP open as well.

Depending on what firewall you do have, please note that 50 and 51 on number 2 are NOT port numbers but rather protocol numbers. Many SOHO routers will not have an option to forward protocol numbers. What you want to look for is an option to allow vpn passthru (VPN passthrough, I have seen them named different), in addition to the VPN passthrough, you will of course still need to port forward UDP 500 and UDP 4500 to your VPN Router. For the record, what are you port forwarding UDP 500 currently, and the protocols 50/51? What is the make and model of the router that is connected to your ISP?

Billy
0
 
SkrotpelsAuthor Commented:
Thanks all for answers, in the end I got a fixed ip from the isp. So the tunnel is up again between the sites. Now i cannot ping the inside interface, but I'll create a new subject on it.

thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now