kurzet
asked on
VPN setup between 3620 and 2621, many questions....
Im in the process of learning this cisco biz, so please be patient with me, Ive got lots of "foolish" questions...TIA
I have two networks seperated by the internet. they are as follows:
<i-net>----1.1.1.1----<c36 20>----10. 10.10.10-- -<3500xl>- ---10.10.x .x <2003server>
<i-net>----2.2.2.2----<c26 21>----11. 11.11.11-- -<1924 en>----11.11.x.x <2000server>
what I am try to do is set up a vpn between the routers, with a consitently open path between the two networks, with the ability to browse between then in Netwrk places icon app with in windows,,,.,,
Both the servers are running WINS services.
These configs were set up using the Configmaker prog. However as you know, that software only supports about halt the commands in thiese configs, so the rest I did, wrong porobably.... :-)LOL
The IP address are not the ones Im using, they are all private address, except those on the internet connections.
My First question is will some one tell me the order of opperations for the setting up of :
1) encryption...
2)VPN interface
3)where I access the configuration for each eg; <rypto-map#> where is that sucker hiding.....
Hope this isnt too much at once, TIA!!!
Here are the configs from both the routers...3620 first...
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname C3620
!
enable password xxxxx
!
ip name-server 68.4.16.30
!
ip subnet-zero
ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key 123qweasd address 2.2.2.2
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
crypto map cm-cryptomap local-address FastEthernet 0/0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 2.2.2.2
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface fastEthernet 0/0
no shutdown
description connected to Internet
crypto map cm-cryptomap
ip address 1.1.1.1 255.0.0.0
ip nat outside
no ip route-cache
keepalive 10
!
! Committed Access Rate (CAR)
!
rate-limit output access-group 101 256000 256000 256000 conform-action set-prec-continue 4 exceed-action drop
!
!
interface fastEthernet 0/1
no shutdown
description connected to EthernetLAN
ip address 10.10.10.10 255.255.0.0
ip nat inside
keepalive 10
!
interface fastEthernet 1/0
no description
no ip address
shutdown
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.10.20.0 0.0.255.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
!
! Access Control List 101
!
no access-list 101
access-list 101 permit ip any 2.0.0.0 0.255.255.255
access-list 101 permit ip any 11.10.0.0 0.0.255.255
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface fastEthernet 0/0 overload
!
router rip
version 2
network 10.10.0.0
passive-interface Ethernet 0/0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 fastethernet 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxxx
login
!
line vty 0 4
password xxxxx
login
@@@@@@@@@@@@@@@@@@@@@@@@@
C2621 Configuration:
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname C2621
!
enable password xxxxx
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key 123qweasd address 1.1.1.1
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
crypto map cm-cryptomap local-address FastEthernet 0/0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 1.1.1.1
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface FastEthernet 0/0
no shutdown
description connected to Internet
crypto map cm-cryptomap
ip address 2.2.2.2 255.0.0.0
ip nat outside
no ip route-cache
keepalive 10
!
! Committed Access Rate (CAR)
!
rate-limit output access-group 101 256000 256000 256000 conform-action set-prec-continue 4 exceed-action drop
!
!
interface FastEthernet 0/1
no shutdown
description connected to EthernetLAN_1
ip address 11.11.11.11 255.255.0.0
ip nat inside
keepalive 10
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 11.11.0.0 0.0.255.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
!
! Access Control List 101
!
no access-list 101
access-list 101 permit ip any 1.0.0.0 0.255.255.255
access-list 101 permit ip any 10.10.0.0 0.0.255.255
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface FastEthernet 0/0 overload
!
router rip
version 2
network 11.11.0.0
passive-interface FastEthernet 0/0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxxx
login
!
line vty 0 4
password xxxxx
login
!
end
I have two networks seperated by the internet. they are as follows:
<i-net>----1.1.1.1----<c36
<i-net>----2.2.2.2----<c26
what I am try to do is set up a vpn between the routers, with a consitently open path between the two networks, with the ability to browse between then in Netwrk places icon app with in windows,,,.,,
Both the servers are running WINS services.
These configs were set up using the Configmaker prog. However as you know, that software only supports about halt the commands in thiese configs, so the rest I did, wrong porobably.... :-)LOL
The IP address are not the ones Im using, they are all private address, except those on the internet connections.
My First question is will some one tell me the order of opperations for the setting up of :
1) encryption...
2)VPN interface
3)where I access the configuration for each eg; <rypto-map#> where is that sucker hiding.....
Hope this isnt too much at once, TIA!!!
Here are the configs from both the routers...3620 first...
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname C3620
!
enable password xxxxx
!
ip name-server 68.4.16.30
!
ip subnet-zero
ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key 123qweasd address 2.2.2.2
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
crypto map cm-cryptomap local-address FastEthernet 0/0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 2.2.2.2
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface fastEthernet 0/0
no shutdown
description connected to Internet
crypto map cm-cryptomap
ip address 1.1.1.1 255.0.0.0
ip nat outside
no ip route-cache
keepalive 10
!
! Committed Access Rate (CAR)
!
rate-limit output access-group 101 256000 256000 256000 conform-action set-prec-continue 4 exceed-action drop
!
!
interface fastEthernet 0/1
no shutdown
description connected to EthernetLAN
ip address 10.10.10.10 255.255.0.0
ip nat inside
keepalive 10
!
interface fastEthernet 1/0
no description
no ip address
shutdown
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.10.20.0 0.0.255.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
!
! Access Control List 101
!
no access-list 101
access-list 101 permit ip any 2.0.0.0 0.255.255.255
access-list 101 permit ip any 11.10.0.0 0.0.255.255
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface fastEthernet 0/0 overload
!
router rip
version 2
network 10.10.0.0
passive-interface Ethernet 0/0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 fastethernet 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxxx
login
!
line vty 0 4
password xxxxx
login
@@@@@@@@@@@@@@@@@@@@@@@@@
C2621 Configuration:
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname C2621
!
enable password xxxxx
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key 123qweasd address 1.1.1.1
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
crypto map cm-cryptomap local-address FastEthernet 0/0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 1.1.1.1
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface FastEthernet 0/0
no shutdown
description connected to Internet
crypto map cm-cryptomap
ip address 2.2.2.2 255.0.0.0
ip nat outside
no ip route-cache
keepalive 10
!
! Committed Access Rate (CAR)
!
rate-limit output access-group 101 256000 256000 256000 conform-action set-prec-continue 4 exceed-action drop
!
!
interface FastEthernet 0/1
no shutdown
description connected to EthernetLAN_1
ip address 11.11.11.11 255.255.0.0
ip nat inside
keepalive 10
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 11.11.0.0 0.0.255.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
!
! Access Control List 101
!
no access-list 101
access-list 101 permit ip any 1.0.0.0 0.255.255.255
access-list 101 permit ip any 10.10.0.0 0.0.255.255
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface FastEthernet 0/0 overload
!
router rip
version 2
network 11.11.0.0
passive-interface FastEthernet 0/0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxxx
login
!
line vty 0 4
password xxxxx
login
!
end
Correction:
route-map nonat permit 10
match address 111
Should be:
route-map nonat permit 10
match ip address 111
route-map nonat permit 10
match address 111
Should be:
route-map nonat permit 10
match ip address 111
ASKER
I saw that, but I really dont have a strong grasp on what Im looking at. I understand parts of it...What I would really REALLY like is to have a description of what each line in each of the sections conserning the configuration the VPN setup and their respective relationship to thier counterparts...YUCK!!!, , this is why I made this question 250 in point, cause it's a pain in the keaster to answer.
Lemme know if I need to increase the pints Value :-)
As Always : thanks in advance, everyone!
Lemme know if I need to increase the pints Value :-)
As Always : thanks in advance, everyone!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
perfect, thanks. Only a few more questions I had about your last reply,
1) What does/is ISAKMP refering to?
2)Do the lines "match address 100 <-- define the "interesting traffic that will trigger the VPN" and....
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255" Relate to thraffic that iscoming in and how does it work when you have it denied in acl 111
3) I have a real problem with seeing thisin the big picture:
! <-- define the Interesting traffic that will go through the VPN tunnel (private LAN-private LAN):
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
! <-- use a route-map named "nonat" to deny VPN traffic from the nat process
ip nat inside source route-map nonat interface fastEthernet 0/0 overload
!
! <-- define the traffic NOT to be natted (private LAN to private LAN)
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
! <-- BUT permit all other internal to external traffic to be Natt'd
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
!
! <-- define the route-map named "nonat"
route-map nonat permit 10
3)I really dont understand the ACL 111 adn how it woks, seems like they two line only contradict eachother????
To what/how is it getting applied and to what is it getting applied...
4) Should the last line of the code be a 100 or a 10? ...route-map nonat permit 10
Sorry for the extreme ignorance, this will be the last question, promise.
thanks again, very appreciated.....
1) What does/is ISAKMP refering to?
2)Do the lines "match address 100 <-- define the "interesting traffic that will trigger the VPN" and....
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255" Relate to thraffic that iscoming in and how does it work when you have it denied in acl 111
3) I have a real problem with seeing thisin the big picture:
! <-- define the Interesting traffic that will go through the VPN tunnel (private LAN-private LAN):
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
! <-- use a route-map named "nonat" to deny VPN traffic from the nat process
ip nat inside source route-map nonat interface fastEthernet 0/0 overload
!
! <-- define the traffic NOT to be natted (private LAN to private LAN)
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
! <-- BUT permit all other internal to external traffic to be Natt'd
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
!
! <-- define the route-map named "nonat"
route-map nonat permit 10
3)I really dont understand the ACL 111 adn how it woks, seems like they two line only contradict eachother????
To what/how is it getting applied and to what is it getting applied...
4) Should the last line of the code be a 100 or a 10? ...route-map nonat permit 10
Sorry for the extreme ignorance, this will be the last question, promise.
thanks again, very appreciated.....
1) ISAKMP maintains the key exchange:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080093c2b.shtml
2) match address 100 defines outbound traffic only, not inbound. Acl 111 applies to the NAT process, not the VPN trigger process.
3) Packets need to be routed based on source/destination. And the router needs to know if the packet is going to be natted or not. We define that process by first making a routing decision.
This is accomplished with a route-map process. If Source is private IP, destination is public ip, then it has to go out the nat outside interface, and needs to be natted. Hence the line
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
BUT, if the destination is the remote LAN, then the routing will still say the packet goes out the 'nat outside' interface, but we don't want to nat it, so we deny it in the NAT process acl so that it maintains "real" source/destination ips:
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
4) the "10" is simply a priority number. You can have multiple entries in a route-map. For example, if you have multiple remote sites with VPN's, you can only have one route-map, but you need to match different acls.. Just a 'ferinstance' example:
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 113 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 113 permit ip 192.168.2.0 0.0.0.255 any
!
route-map nonat permit 10 <- no matching conditions, go to the next "12"
match ip address 111
route-map nonat permit 12 <- no matching conditions, go to the next "13"
match ip address 112
set ip next-hop 3.4.5.6
route-map nonat permit 13
match ip address 113
set ip next-hop 5.6.7.8
<etc>
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080093c2b.shtml
2) match address 100 defines outbound traffic only, not inbound. Acl 111 applies to the NAT process, not the VPN trigger process.
3) Packets need to be routed based on source/destination. And the router needs to know if the packet is going to be natted or not. We define that process by first making a routing decision.
This is accomplished with a route-map process. If Source is private IP, destination is public ip, then it has to go out the nat outside interface, and needs to be natted. Hence the line
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
BUT, if the destination is the remote LAN, then the routing will still say the packet goes out the 'nat outside' interface, but we don't want to nat it, so we deny it in the NAT process acl so that it maintains "real" source/destination ips:
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
4) the "10" is simply a priority number. You can have multiple entries in a route-map. For example, if you have multiple remote sites with VPN's, you can only have one route-map, but you need to match different acls.. Just a 'ferinstance' example:
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 113 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 113 permit ip 192.168.2.0 0.0.0.255 any
!
route-map nonat permit 10 <- no matching conditions, go to the next "12"
match ip address 111
route-map nonat permit 12 <- no matching conditions, go to the next "13"
match ip address 112
set ip next-hop 3.4.5.6
route-map nonat permit 13
match ip address 113
set ip next-hop 5.6.7.8
<etc>
ASKER
Uhhhhhh? Good
Ill have to let all this soke in to my thick head...
Thanks for all the effort and time, I cant thank you enough.
you are the "routin" man!
JNK
Ill have to let all this soke in to my thick head...
Thanks for all the effort and time, I cant thank you enough.
you are the "routin" man!
JNK
ASKER
I dont know if its too late to ask but here goes,
I have 5 static ip's to work with here, and this config,well, Its kinda dumb since im garunteed from my isp that I get the same up/down from each ip with out sacrificing overall bandwidth....So, what id like to do , since I have this 3620 for a router and it does infact have 4 E ports on it, Is to make the other Net Module (NM2e2w ) the VPN side Atleast, make one of the ports on the 2e2w another outside IP to for the other side of the VPN.
<INTERNET>
I have 5 static ip's to work with here, and this config,well, Its kinda dumb since im garunteed from my isp that I get the same up/down from each ip with out sacrificing overall bandwidth....So, what id like to do , since I have this 3620 for a router and it does infact have 4 E ports on it, Is to make the other Net Module (NM2e2w ) the VPN side Atleast, make one of the ports on the 2e2w another outside IP to for the other side of the VPN.
<INTERNET>
Just use a loopback address as the VPN target instead of an interface address...
ASKER
OOps, hit the tab key
Anyway so I will have to seperate ip's on the 3620 router.
Is that config going to be to much different or just the obvious stuff directly relating to the e0/0 as aposed to the e1/0 ?
thanks in advacne
Anyway so I will have to seperate ip's on the 3620 router.
Is that config going to be to much different or just the obvious stuff directly relating to the e0/0 as aposed to the e1/0 ?
thanks in advacne
Nothing much different at all except that you need independent subnets or sub-subnets for each of those IP addresses so that you can use each one as its own NAT pool...
At least that's what I would do...
At least that's what I would do...
from:
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
to:
crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
Reason: Your first encryption policy statement says:
>crypto isakmp policy 1
> encryption 3des
But the first encryption layer in your transform is AH-MD5-HMAC
Changing just the transform-set fixes that
Your crypto acl "match address 100" needs to be private-lan to private-lan, NOT WANIP to WANIP:
i.e. Local (3620) LAN=192.168.2.0 Remote (2621) LAN=192.168.3.0
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
mirror that on the 2621:
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Now, since you are also using NAT, you need a route-map to deny the IPSEC traffic to be natted:
Change this:
>ip nat inside source list 1 interface fastEthernet 0/0 overload
To this:
ip nat inside source route-map nonat interface fastEthernet 0/0 overload
!
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
! <Mirror that on the 2621>
!
route-map nonat permit 10
match address 111
Test using Extended pings, using the private IP as the ping source