Solved

Having trouble configuring vpn for Surescripts

Posted on 2010-09-15
10
814 Views
Last Modified: 2012-06-27
I have attempted to configure a tunnel but am not having any luck... I found some older questions regarding this on here and have attempted to step through those as well... I am attaching the instructions I was given and my current running configuration. Can you tell me where I have messed up? Or what I am doing wrong? surescripts-config.txt
current-config.txt
0
Comment
Question by:bmanhawks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 1

Expert Comment

by:cdusio
ID: 33684027
looks like at a minimum your nat statements are not right.
Based on the surescripts doc, you need to nat your sip when you are trying to talk to them to a specific ip which I don't see in there.
That's probably what's failing at least the first piece.

You need a static policy nat to do this.
0
 

Author Comment

by:bmanhawks
ID: 33684164
I am not using any voice traffic, just data... So I am not sure what you are asking me to do with SIP. I know the is some lines regarding it but that seems to be default in the device. Can you please elaborate?
0
 

Author Comment

by:bmanhawks
ID: 33684210
I know there are some lines
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:cdusio
ID: 33684344
Source IP - sip

you need to nat like this

your source subnet, when trying to contact this host at surescripts is the classifier
the nat is that classifier and then the appropriate natted ip

so say

172.16.2.X/24 source network, destination surescripts 10.10.10.50/32
they want you to present them with 192.168.50.50 only

so your classifier would be 172.16.2.0/24 to 10.10.10.50
your nat would be that classifier and then the address you want to nat to (the 192.168.50.50)

Then in your crypto map, your source ip and desitnation ip's are your natted ip 192.168.50.50 to the surescripts destiantion 10.10.10.50.


0
 

Author Comment

by:bmanhawks
ID: 33684391
LOL, I see what you're saying... I will give it a shot.
0
 
LVL 1

Expert Comment

by:cdusio
ID: 33684417

Here's a real world example.

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.254.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXXXXXX




***destination ip's
object-group network DM_INLINE_NETWORK_1
 network-object host 192.168.50.83
 network-object host 192.168.50.86
 network-object host 192.168.50.85


***natted ip to crypto map
access-list outside_cryptomap extended permit ip host 172.28.168.5 object-group DM_INLINE_NETWORK_1

***policy nat
access-list inside_nat_static extended permit ip host 192.168.254.5 object-group DM_INLINE_NETWORK_1
static (inside,outside) 172.28.168.5  access-list inside_nat_static
!


crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer XX.XX.XX.Xx
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside

0
 

Author Comment

by:bmanhawks
ID: 33685144
Made some changes... I should be able to ping the remote hosts from 192.168.2.8 but its still not making it. Thank you for your help BTW.
object-group network remote-vpn-hosts
 network-object host 192.168.50.50
 network-object host 192.168.50.83
 network-object host 192.168.50.85
 network-object host 192.168.50.86
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.224 255.255.255.224
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq smtp
access-list outside_2_cryptomap extended permit ip host 172.38.26.8 object-group remote-vpn-hosts
access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip host 172.38.26.8 host 66.179.80.108
access-list inside_nat_outbound extended permit ip host 172.38.26.8 object-group remote-vpn-hosts
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
0
 
LVL 1

Accepted Solution

by:
cdusio earned 500 total points
ID: 33685721
try this..
I can't see your tunnel config atm but this sb right for the nats.

object-group network remote-vpn-hosts
 network-object host 192.168.50.50
 network-object host 192.168.50.83
 network-object host 192.168.50.85
 network-object host 192.168.50.86

access-list inside_nat_static extended permit ip 192.168.2.0 255.255.255.0 object-group remote-vpn-hosts

static (inside,outside) 172.38.26.8 access-list inside_nat_static
access-list outside_2_cryptomap extended permit ip host 172.38.26.8 object-group remote-vpn-hosts




crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer XX.XX.XX.XX
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
0
 

Author Comment

by:bmanhawks
ID: 33686038
Thanks a ton CD... We got it up and going, that last little bit of information did the trick!
static (inside,outside) 172.38.26.8 access-list inside_nat_static
ERROR: access-list used in static has different local addresses
was the only thing that stumped me but I did get it going. I will send you a copy of my final config if anyone else has some trouble along these lines and you can have some notes.
latest-config.txt
0
 

Author Comment

by:bmanhawks
ID: 33718106
I did notice one side effect from getting this tunnel back up that I didn't look for straight away... I have a tunnel between Surescripts and my server but all other traffic has stopped working? For example, if I open a browser or attempt to ping an external source like www.yahoo.com the request fails. Any ideas?
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question