|
|
Question : Problem: Cisco NAT & VPN problems - review
|
|
I have 2 cisco 1710 vpn access routers with 12.3 ios with 3des encryption. I have a router in st pete and one in chicago.
I can get the vpn up and i can ping the chicago address to the st. pete address. but what i cant figure out is some traffic must not be getting through the tunnel.
I need to browse (netbios) from one sit to the other, we have win 2003 servers that need to comunicate, but somehting is not working. Cant authenticate from chicago to the st pete domain. Below is both configs for both routers.
Chicgo Router ------------------------------------------------------------ ! version 12.3 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Chicago ! !logging buffered 4096 debugging !logging rate-limit console 10 except errors enable secret 123 ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! no ip domain-lookup ip name-server 206.141.192.60 ip name-server 206.141.193.55 ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 1 authentication pre-share group 2 ! crypto isakmp policy 2 hash md5 authentication pre-share group 2 ! crypto isakmp policy 3 authentication pre-share ! crypto isakmp policy 4 hash md5 authentication pre-share crypto isakmp key somekey address xxx.xxx.184.100 ! ! crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac crypto ipsec transform-set rtpset5 esp-des crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto map rtp 1 ipsec-isakmp set peer xxx.xxx.184.100 set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5 match address 111
!This is so that nating does not happen when its tunnel traffic interface loopback 1 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0 description Connection to Internet ip address yy.yyy.173.186 255.255.255.248 ip nat outside no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map rtp ! interface FastEthernet0 description Connection to Private Network ip address 192.168.2.1 255.255.255.0 ip access-group 103 in ip nat inside no ip route-cache ip policy route-map nonat no ip mroute-cache speed auto full-duplex no cdp enable ! ip nat pool NAT yy.yyy.173.186 yy.yyy.173.186 netmask 255.255.255.248 ip nat inside source list 104 pool NAT overload ! ip nat inside source static tcp 192.168.2.2 3389 yy.yyy.173.186 3389 extendable ! WebServer ! ! ip classless ip route 0.0.0.0 0.0.0.0 yy.yyy.173.190 no ip http server ! ! access-list 101 permit esp any any access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input access-list 101 permit udp host xxx.xxx.184.100 host yy.yyy.173.186 eq isakmp access-list 101 permit esp host xxx.xxx.184.100 host yy.yyy.173.186 access-list 101 permit ahp host xxx.xxx.184.100 host yy.yyy.173.186 access-list 101 permit ip host xxx.xxx.184.100 any access-list 101 permit tcp any any established access-list 101 permit udp any eq domain any access-list 101 permit tcp any eq domain any access-list 101 permit icmp any any access-list 101 permit udp any any tftp access-list 101 permit tcp any host yy.yyy.173.186 eq 3389 access-list 101 deny ip any any ! access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 103 deny udp any any eq 21331 access-list 103 deny tcp any any eq 139 access-list 103 deny tcp any any eq 445 access-list 103 deny udp any any eq tftp access-list 103 deny tcp any any eq 69 access-list 103 permit ip any any ! !
access-list 104 permit ip 192.168.2.0 0.0.0.255 any ! access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input ! ! access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 120 deny ip 192.168.2.0 0.0.0.255 any ! ! ! route-map nonat permit 10 match ip address 120 set ip next-hop 10.1.1.2 ! ! no cdp run ! ! ! line con 0 line aux 0 line vty 0 4 access-class 2 in password 123 login line vty 5 15 login ! end
---------------------------------- St pete router ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname StPete ! logging buffered 4096 debugging logging rate-limit console 10 except errors enable secret 123 ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! no ip domain-lookup ip name-server 206.222.97.50 ip name-server 206.222.97.82 ip name-server 216.21.234.74 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 1 authentication pre-share group 2 ! crypto isakmp policy 2 hash md5 authentication pre-share group 2 ! crypto isakmp policy 3 authentication pre-share ! crypto isakmp policy 4 hash md5 authentication pre-share crypto isakmp key somekey address yy.yyy.173.186 ! ! crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac crypto ipsec transform-set rtpset5 esp-des crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto map rtp 1 ipsec-isakmp set peer yy.yyy.173.186 set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5 match address 111 ! ! ! !This is so that nating does not happen when its tunnel traffic interface loopback 1 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0 description Connection to Internet ip address xxx.xxx.184.100 255.255.255.224 ip nat outside no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map rtp ! interface FastEthernet0 description Connection to Private Network ip address 192.168.0.1 255.255.255.0 ip access-group 103 in ip nat inside no ip route-cache ip policy route-map nonat no ip mroute-cache speed auto full-duplex no cdp enable ! ip nat pool NAT xxx.xxx.184.100 xxx.xxx.184.100 netmask 255.255.255.192 ip nat inside source list 104 pool NAT overload ! ip nat inside source static tcp 192.168.0.2 3389 xxx.xxx.184.100 3389 extendable ip nat inside source static tcp 192.168.0.2 80 xxx.xxx.184.100 80 extendable ip nat inside source static tcp 192.168.0.2 25 xxx.xxx.184.100 25 extendable ip nat inside source static tcp 192.168.0.2 110 xxx.xxx.184.100 110 extendable ip nat inside source static tcp 192.168.0.2 443 xxx.xxx.184.100 443 extendable ip nat inside source static tcp 192.168.0.2 53 xxx.xxx.184.100 53 extendable ip nat inside source static tcp 192.168.0.2 21 xxx.xxx.184.100 21 extendable ip nat inside source static udp 192.168.0.2 53 xxx.xxx.184.100 53 extendable ! ! ip classless ip route 192.168.1.0 255.255.255.0 192.168.0.6 ip route 0.0.0.0 0.0.0.0 xxx.xxx.184.97 no ip http server ! ! ! ! access-list 101 permit esp any any access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input access-list 101 permit udp host yy.yyy.173.186 host xxx.xxx.186.100 eq isakmp access-list 101 permit esp host yy.yyy.173.186 host xxx.xxx.186.100 access-list 101 permit ahp host yy.yyy.173.186 host xxx.xxx.186.100 access-list 101 permit ip host yy.yyy.173.186 any ! access-list 101 permit tcp any any established access-list 101 permit udp any eq domain any access-list 101 permit tcp any eq domain any access-list 101 permit icmp any any access-list 101 permit udp any any eq tftp access-list 101 permit tcp any host xxx.xxx.184.100 eq 3389 access-list 101 permit tcp any host xxx.xxx.184.100 eq 25 access-list 101 permit tcp any host xxx.xxx.184.100 eq 110 access-list 101 permit tcp any host xxx.xxx.184.100 eq 80 access-list 101 permit tcp any host xxx.xxx.184.100 eq 443 access-list 101 permit tcp any host xxx.xxx.184.100 eq 53 access-list 101 permit udp any host xxx.xxx.184.100 eq 53 access-list 101 permit tcp any host xxx.xxx.184.100 eq 21
access-list 101 deny ip any any log ! ! access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input access-list 103 deny udp any any eq 21331 access-list 103 deny tcp any any eq 139 access-list 103 deny tcp any any eq 445 access-list 103 deny udp any any eq tftp access-list 103 deny tcp any any eq 69 access-list 103 permit ip any any ! ! access-list 104 permit ip 192.168.0.0 0.0.0.255 any ! access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input ! ! access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input access-list 120 deny ip 192.168.0.0 0.0.0.255 any ! ! route-map nonat permit 10 match ip address 120 set ip next-hop 10.1.1.2 ! no cdp run ! ! ! line con 0 line aux 0 line vty 0 4 access-class 2 in password 123 login line vty 5 15 login ! end
-----------------------------------------------
I should beable to browse from chicago to stpete. I should be able to have a computer join a domain loacted in stpete. I should beable to authenticate a computer user logging on in chicago to the server in stpete (dns on the win 2003 box points to st pete domain dns)
George.
|
Answer : Problem: Cisco NAT & VPN problems - review
|
|
Couple of things here:
>set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5 Choose ONE transform set common on both ends, do not use all 5
>!This is so that nating does not happen when its tunnel traffic interface loopback 1 ip address 10.1.1.1 255.255.255.0 >route-map nonat permit 10 match ip address 120 set ip next-hop 10.1.1.2 !
There is a better way to do this. Take the route-map off of the Lan interface and apply it instead to the nat process (mirrored on both sides)
route-map nonat permit 10 match ip address 122
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 122 permit ip 192.168.0.0 0.0.0.255 any
no ip nat inside source list 104 pool NAT overload ip nat inside source route-map nonat pool NAT overload
interface fastethernet 0 no ip policy route-map nonat
While troubleshooting, just remove acl 103 from the Ethernet interface. I see you've already removed 101 from the outside interface...
|
|
|