CCNA Video Training Series

Instant Access, Web or Mobile!

Only $99 for 30 days...
Renew at half price!

Buy/Renew

Includes FREE Practice Exams!

Member Login

Lost your password?

Not a member yet? Sign Up!

Official Lammle User Forum

Results 1 to 13 of 13
  1. #1
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default Site-to-site VPN issues

    I always seem to do things the most difficult way and have been banging my head for several days with this.

    Scenario:

    I have set up a site-to-site VPN from my office router (c2821 w/ IOS 15.1(3)T ) to a remote router (c2621XM w/ 12.4(25b) ) both advEnt-k9 images.

    I am able to ping the interesting remote private networks from my desktop using the private IP addresses so I know the tunnel is working properly.

    The problem is that I am unable to access a particular device (Wireless LAN Controller @ 10.0.100.21) using a web browser to enable remote management of the device over the VPN. I think I know the problem source but before I get to my suspicions here are the associated configs.

    Also, The Tunnel is stable and does not flap!

    c2821 Configs
    Code:
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 4096
    enable secret 5 somesecretpassword
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization exec default local 
    aaa authorization network ciscocp_vpn_group_ml_1 local 
    !
    !
    !
    !
    !
    aaa session-id common
    !
    !
    crypto isakmp policy 9
     hash md5
     authentication pre-share
    crypto isakmp key somekeyknowtomealone address XXX.XXX.XXX.XXX ! Public IP address at other end of tunnel
    !
    crypto ipsec transform-set 3deshmac esp-3des esp-sha-hmac 
    !
    crypto map toQIDenEast 1 ipsec-isakmp 
     set peer XXX.XXX.XXX.XXX
     set transform-set 3deshmac 
     match address HDTVPN1
    !
    !
    interface GigabitEthernet0/0
     description $FW_OUTSIDE$
     ip address YYY.YYY.YYY.YYY SSS.SSS.SSS.SSS
     ip access-group hdtWANsecure in
     no ip redirects
     no ip unreachables
     ip flow ingress
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
     crypto map torRemoteSite1
     crypto ipsec df-bit clear
    !
    !
    interface GigabitEthernet0/1.10
     description $FW_INSIDE$ Device Management sub-interface
     encapsulation dot1Q 10 native
     ip address 192.168.254.1 255.255.255.224
     no ip redirects
     no ip unreachables
     ip nat inside
     ip virtual-reassembly in
    !
    interface GigabitEthernet0/1.11
     description $FW_INSIDE Data Subnet$
     encapsulation dot1Q 11
     ip address 10.10.11.1 255.255.255.224
     ip access-group hdtLANsecure in
     no ip redirects
     no ip unreachables
     ip nat inside
     ip virtual-reassembly in
    !
    !
    !
    !
    ip nat inside source static udp 10.10.11.11 69 interface GigabitEthernet0/0 69
    ip nat inside source static udp 192.168.254.5 162 interface GigabitEthernet0/0 162
    ip nat inside source static udp 192.168.254.5 514 interface GigabitEthernet0/0 514
    ip nat inside source static tcp 192.168.254.5 1645 interface GigabitEthernet0/0 1645
    ip nat inside source static tcp 192.168.254.5 1646 interface GigabitEthernet0/0 1646
    ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 nex.tho.p.rtr
    !
    ip access-list extended HDT_NAT
     deny   ip 10.10.11.0 0.0.0.31 192.168.255.0 0.0.0.7
     deny   ip 10.10.11.0 0.0.0.31 10.0.100.0 0.0.0.255
     permit ip 192.168.255.0 0.0.0.31 any
     permit ip 172.16.0.4 0.0.0.1 any
     permit ip 10.10.11.64 0.0.0.31 any
     permit ip 10.10.11.32 0.0.0.31 any
     permit ip 10.10.11.0 0.0.0.31 any
     permit ip 10.10.102.0 0.0.1.255 any
     permit ip 10.10.100.0 0.0.0.63 any
    ip access-list extended hdtLANsecure
     remark Apply to Gi0/1.11 as ip access-group in
     remark CCP_ACL Category=17
     permit udp host 10.10.11.3 eq domain any
     permit ip 10.10.11.0 0.0.0.31 any
     deny   ip any any
    ip access-list extended hdtVTYsecure
     remark ACL applied to line vty 0 4 as access-class hdtVTYsecure in
     remark CCP_ACL Category=17
     permit tcp 10.10.11.0 0.0.0.255 any eq 22
     permit tcp 10.10.11.0 0.0.0.255 any eq telnet
     permit tcp 172.16.0.0 0.0.0.15 any eq 22
     permit tcp 172.16.0.0 0.0.0.15 any eq telnet
     permit tcp 192.168.255.0 0.0.0.255 any eq 22
     permit tcp 192.168.255.0 0.0.0.255 any eq telnet
     deny   ip any any
    ip access-list extended hdtWANsecure
     remark Apply to Gi0/0 as ip access-group in
     remark CCP_ACL Category=17
     permit ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
     permit ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     permit udp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY eq non500-isakmp
     permit udp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY eq isakmp
     permit esp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
     permit ahp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
     permit udp host 8.8.8.4 eq domain any
     permit udp host 8.8.8.8 eq domain any
     deny   ip 10.0.0.0 0.255.255.255 any log
     deny   ip 127.0.0.0 0.255.255.255 any log
     deny   ip 172.16.0.0 0.15.255.255 any log
     deny   ip 192.168.0.0 0.0.255.255 any log
     permit udp any 10.0.0.0 0.63.255.255 eq ntp
     permit tcp any 10.10.11.0 0.0.0.31 eq 5070
     permit udp any 10.10.11.0 0.0.0.31 eq 5060
     permit ip any any
    ip access-list extended hdtWAPmgmtSecure
     remark Apply to F0/1.101 as ip access-group hdtWAPmgmtSecure in
     permit ip 10.10.100.0 0.0.1.63 any
     deny   ip any any
    ip access-list extended HDTVPN1
     permit ip 10.10.11.0 0.0.0.31 10.0.100.0 0.0.0.255
     permit ip 10.10.11.0 0.0.0.31 192.168.255.0 0.0.0.7
    !
    !
    no route-map SDM_RMAP_1 permit 1
    route-map SDM_RMAP_1 permit 1
     match ip address HDT_NAT
    !
    c2621XM Router at remote location
    Code:
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local 
    !
    aaa session-id common
    !
    !
    crypto isakmp policy 9
     hash md5
     authentication pre-share
    crypto isakmp key somekeyknowtomealone address ZZZ.ZZZ.ZZZ.ZZZ
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set 3deshmac esp-3des esp-sha-hmac 
    !
    crypto map toHDT 1 ipsec-isakmp 
     set peer ZZZ.ZZZ.ZZZ.ZZZ
     set transform-set 3deshmac 
     match address DenEastVPN
    !
    !
    !
    !
    interface FastEthernet0/0
     description Connection to ISP through Workgroup Switch $FW_OUTSIDE$
     ip address uuu.uuu.uuu.uuu SSS.SSS.SSS.SSS
     ip access-group secureISP in
     ip verify unicast reverse-path
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map toHDT
     crypto ipsec df-bit clear
    !
    interface FastEthernet0/1
     no ip address
     duplex auto
     speed auto
    !
    !
    interface FastEthernet0/1.11
     description $FW_DMZ$ Device Management sub-interface
     encapsulation dot1Q 11 native
     ip address 192.168.255.1 255.255.255.248
     ip nat inside
     ip virtual-reassembly
    !
    interface FastEthernet0/1.100
     description $FW_INSIDE$ WLAN Management sub-interface
     encapsulation dot1Q 100
     ip address 10.0.100.1 255.255.255.0
     ip access-group WLANMgnt in
     ip nat inside
     ip inspect SDM_LOW in
     ip virtual-reassembly
    !
    !ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 10.0.100.21 80 interface FastEthernet0/0 10000
    !
    !
    ip access-list extended Nat
     deny   ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
     deny   ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     permit ip 10.0.102.0 0.0.1.255 any
     permit ip 10.0.100.0 0.0.0.255 any
     permit ip 192.168.255.0 0.0.0.7 any
     permit ip 172.16.0.0 0.0.0.255 any
    !
    ip access-list extended WLANMgnt
     remark Apply to F0/1.100 as ip access-group WLANMgnt
     permit udp host 192.43.244.18 eq ntp host 10.0.100.1 eq ntp
     deny   ip 10.0.0.0 0.0.1.255 any
     deny   ip 192.168.255.0 0.0.0.7 any
     deny   ip 172.16.0.0 0.0.0.255 any
     deny   ip 65.112.204.112 0.0.0.7 any
     deny   ip host 255.255.255.255 any
     deny   ip 127.0.0.0 0.255.255.255 any
     permit ip any any
    ip access-list extended secureISP
     remark Apply to F0/0 as ip access-group secureISP in
     remark SDM_ACL Category=17
     permit ip 10.10.11.0 0.0.0.31 192.168.255.0 0.0.0.7
     permit ip 10.10.11.0 0.0.0.31 10.0.100.0 0.0.0.255
     permit udp host YYY.YYY.YYY.YYY host XXX.XXX.XXX.XXX eq non500-isakmp
     permit udp host YYY.YYY.YYY.YYY host XXX.XXX.XXX.XXX eq isakmp
     permit esp host YYY.YYY.YYY.YYY host XXX.XXX.XXX.XXX
     permit ahp host YYY.YYY.YYY.YYY host XXX.XXX.XXX.XXX
     permit udp host 192.43.244.18 eq ntp any eq ntp
     permit udp host YYY.YYY.YYY.YYY any log
     permit icmp any XXX.XXX.XXX.XXX echo-reply
     permit icmp any host XXX.XXX.XXX.XXX time-exceeded
     permit icmp any host XXX.XXX.XXX.XXX unreachable
     permit tcp any host XXX.XXX.XXX.XXX eq 443
     permit tcp any host XXX.XXX.XXX.XXX eq 10000 log
     permit tcp any host XXX.XXX.XXX.XXX eq 22
     permit tcp any host XXX.XXX.XXX.XXX eq cmd
     permit tcp any host 192.168.255.4 eq 443 log
     deny   ip 10.0.0.0 0.255.255.255 any
     deny   ip 127.0.0.0 0.255.255.255 any
     deny   ip 172.16.0.0 0.0.255.255 any
     deny   ip 192.168.0.0 0.0.255.255 any
     deny   ip host 255.255.255.255 any
     deny   ip host 0.0.0.0 any
     deny   ip any any log
    ip access-list extended DenEastVPN
     permit ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     permit ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
    !
    route-map SDM_RMAP_1 permit 1
     match ip address Nat
    no match ip address 102 Nat
    
    !
    route-map SDM_RMAP_1 permit 1
     match ip address Nat
    I have searched for an answer on Cisco and many other sources and have not been able to find anything to define the behavior.

    I suspect the problem is in the c2621XM's config concerning this line:
    Code:
    ip nat inside source static tcp 10.0.100.21 80 interface FastEthernet0/0 10000
    Remote access to the device (Wireless LAN Controller) currently uses port forwarding.
    So, the questions:
    1. Is my suspicion correct? If so could someone provide a link to documentation?
    2. Is there a way to be able to use port forwarding and VPN access together, or even including access via VPN Client Software?
      • Route Maps?
      • Other methods?
    Im not looking for a handout on this, just direction. Normally, I would LAB this to achieve a proof of concept, but I am in the process of re-working/re-cabling my LAB (several days work).
    I will be adding additional functionality in the future (RADIUS/TACACS+, Port Monitoring, etc) that will depend on this VPN connection(s) so I am trying to lay the groundwork for that functionality.

    Thanks,
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  2. #2
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Can you SSH the WLC mate or is all ports/ping etc to the WLC not working?
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  3. #3
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default

    Quote Originally Posted by Big Evil View Post
    Can you SSH the WLC mate or is all ports/ping etc to the WLC not working?
    B.E.

    I am able to ping and SSH the WLC without issues. The only problem is accessing via HTTP.

    Thanks
    Last edited by HermeszData; 09-28-2011 at 09:45 AM.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  4. #4
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Can you create a catch all ACL?

    Like -

    Code:
    R1(config)# logging buffered 15000 
    R1 (config)# access-list 101 permit tcp any gt 0 any gt 0 log
    R1 (config)# access-list 101 permit udp any gt 0 any gt 0 log
    R1 (config)# access-list 101 permit icmp any any
    R1(config)# access-list 101 permit ip any any log 
    R1 (config)# interface interface [slot/port]
    R1(config-if)# ip access-group 101 in
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  5. #5
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default

    Quote Originally Posted by Big Evil View Post
    Can you create a catch all ACL?

    Like -

    Code:
    R1(config)# logging buffered 15000 
    R1 (config)# access-list 101 permit tcp any gt 0 any gt 0 log
    R1 (config)# access-list 101 permit udp any gt 0 any gt 0 log
    R1 (config)# access-list 101 permit icmp any any
    R1(config)# access-list 101 permit ip any any log 
    R1 (config)# interface interface [slot/port]
    R1(config-if)# ip access-group 101 in
    On which router and what interface?

    Most of the ACLs are Extended Named ACLs on both routers. I could simply add the lines as appropriate.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  6. #6
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    I would start at the ingress on your LAN, then the egress on your site. Then egress on your other site, finally you ingress at the other site.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  7. #7
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default

    Quote Originally Posted by Big Evil View Post
    I would start at the ingress on your LAN, then the egress on your site. Then egress on your other site, finally you ingress at the other site.

    When I applied the catch-all variably as suggested, Local LAN/WAN logged the packet. Remote WAN ACL did not log the same packet however, tne ACL on the associated LAN did log the packet.

    However, when I ran the sh ip nat trans command I received the following:
    Code:
    CO172Rtr(config-ext-nacl)#do sh ip nat trans
    Pro Inside global         Inside local          Outside local         Outside global
    tcp XXX.XXX.XXX.XXX:10000  10.0.100.21:80        10.10.11.11:57425     10.10.11.11:57425
    tcp XXX.XXX.XXX.XXX:10000  10.0.100.21:80        ---                   ---
    XXX.XXX.XXX.XXX = Public IP of remote router!

    Although the NAT ACL applied using the route-map attribute
    Code:
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 10.0.100.21 80 interface FastEthernet0/0 10000
    !
    !
    ip access-list extended Nat
     deny   ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
     deny   ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     permit ip 10.0.102.0 0.0.1.255 any
     permit ip 10.0.100.0 0.0.0.255 any
     permit ip 192.168.255.0 0.0.0.7 any
     permit ip 172.16.0.0 0.0.0.255 any
    !
    route-map SDM_RMAP_1 permit 1
     match ip address Nat
    !
    the static port forwarding appears to take precedence and translate the connection anyway sending the return packet the public (non-VPN) interface to the private IP address 10.10.11.11.

    This confirms my suspicion regarding the port forwarding to the WLC's IP being the cause. The question again is how do I overcome this in a way that we are able to access the WLC via VPN and still utilize port forwarding in case the VPN is not available.

    What impact might this have on implementing access to various network devices using VPN Client Software where there a remote user needs to gain access (i.e. I need to login to a device when I am not at my office) to check on an issue?
    Last edited by HermeszData; 09-28-2011 at 04:31 PM.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  8. #8
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    If you remove the static NAT i take it that it works ok over the VPN?
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  9. #9
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default

    Quote Originally Posted by Big Evil View Post
    If you remove the static NAT i take it that it works ok over the VPN?
    This is correct.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  10. #10
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    You are going to need a route map that states no nat and a a source to push it back to, maybe by a prefix list.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  11. #11
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default

    Quote Originally Posted by Big Evil View Post
    You are going to need a route map that states no nat and a a source to push it back to, maybe by a prefix list.
    This is what I already have:
    Code:
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 10.0.100.21 80 interface FastEthernet0/0 10000
    !
    !
    ip access-list extended Nat
     deny   ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
     deny   ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     permit ip 10.0.102.0 0.0.1.255 any
     permit ip 10.0.100.0 0.0.0.255 any
     permit ip 192.168.255.0 0.0.0.7 any
     permit ip 172.16.0.0 0.0.0.255 any
    !
    route-map SDM_RMAP_1 permit 1
     match ip address Nat
    !
    The first 2 lines of ip acess-list extended Nat disable nat from the NAT for the subnets associated with the VPN.

    route-map SDMPRMAP_1 permit 1 sets the subnets based on ip acess-list extended Nat by matching the conditions of that acl.
    Finally, ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload applies the route-map to enable PAT on the interface.

    Am I missing something? An additional route-map? where?

    Refernece documents?

    I'm not just trying to make this work, I want to understand the how/why of the config process.

    Thanks.
    Last edited by HermeszData; 09-29-2011 at 12:47 PM.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  12. #12
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    226

    Default Issues resolved

    Gotta love head banging.

    As I stated earlier, the issue was with the port forwarding!
    Code:
    ip nat inside source static tcp 10.0.100.21 80 interface f0/0 10000
    The resolution follows.

    Code:
    ! Delete the original port forwarding statement to the WLC
    no ip nat inside source static tcp 10.0.100.21 80 interface f0/0 10000
    !
    ip access-list extended DENY_NAT
     remark access list to deny VPN traffic 
     deny   ip 10.0.100.0 0.0.0.255 10.10.11.0 0.0.0.31
     deny   ip 192.168.255.0 0.0.0.7 10.10.11.0 0.0.0.31
    exit
    !
    route-map NAT_Deny_VPN permit 10
     remark route-map to apply to the new /replacement port forwarding statement
     match ip address DENY_NAT
    exit
    !
    ! Port Forwarding statement using public IP address vs. Interface and the newly created route-map
    ip nat inside source static tcp 10.0.100.21 80 XXX.XXX.XXX.XXX 10000 NAT_Deny_VPN extendable
    Giving credit where due, I found the solution here: http://www.problutions .com/?p=313

    Thanks for the help B.E.
    Last edited by HermeszData; 09-30-2011 at 08:57 AM.
    John

    CCNA
    CCNA:Voice
    ATSA Internetworking - AdTran

  13. #13
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Nice work my man!
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. A New Comer To This Site
    By tonymccallum in forum Chapter 1: Internetworking
    Replies: 3
    Last Post: 02-01-2013, 08:47 AM
  2. site to site vpn
    By altezza123 in forum VPN
    Replies: 8
    Last Post: 05-21-2011, 01:34 AM
  3. Subnet practice site
    By RyanHTX in forum General Questions (Any Chapter)
    Replies: 1
    Last Post: 07-23-2010, 12:48 AM
  4. Created My First Site To SIte VPN
    By anurag007 in forum ISCW
    Replies: 2
    Last Post: 02-07-2010, 01:05 PM
  5. 877w Site to Site VPN
    By wobble_wobble in forum Routing
    Replies: 1
    Last Post: 01-18-2010, 03:46 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •