Hi All,
Have a main office (192.168.x.x, Cisco 1721, IOS 12.3) and a branch office (10.250.1.x, Linksys AG041), both connected to the web via ADSL.
Have setup a tunnel between the Cisco 1721 and the Linksys AG041 (I am based in UK if model is unfamiliar). After some playing, have got it to work, well the tunnel anyway. Both ends say the tunnel is up and happy, however I cannot seem to get any traffic to pass along the tunnel.
As I understand from reading various docs and scouring th web, I need to get the Cisco box to stop Natting traffic through the tunnel however am unsure as to how to do this. I tried using the SDM *test VPN* feature which seemed to scramble loads of settings and still not work. It seemed to get confused and send all data down the tunnel, rather than just the traffic meaning to go to 10.250.1.x.
I have attached the relevant areas of the IOS config file (think so, if more required, let me know).
Any help gratefully received, am rather confused and I just seem to be going around and around in circles
TIA
Dan
---Start of editted IOS file---
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 3
authentication pre-share
lifetime 3600
!
crypto isakmp policy 4
hash md5
authentication pre-share
lifetime 3600
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <password> address <linksys-public-ip> no-xauth
!
crypto isakmp client configuration group <username>
key <password>
dns 192.168.1.104
wins 192.168.1.104
domain <our local domainname>
pool animalpool1
acl 160
!
!
crypto ipsec transform-set remotevpn esp-3des esp-sha-hmac
crypto ipsec transform-set stores esp-3des esp-sha-hmac
!
crypto dynamic-map animalmap 1
set transform-set remotevpn
reverse-route
!
!
crypto map animalmap client authentication list userlist
crypto map animalmap isakmp authorization list grouplist
crypto map animalmap client configuration address respond
crypto map animalmap 1 ipsec-isakmp dynamic animalmap
crypto map animalmap 2 ipsec-isakmp
set peer <linksys-public-ip>
set transform-set stores
match address 100
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
atm vc-per-vp 65536
atm ilmi-keepalive
dsl operating-mode auto
crypto map animalmap
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description Connected to Animal LAN
ip address 192.168.77.200 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect animalcbac in
ip route-cache flow
ip policy route-map nonat
speed auto
full-duplex
ntp disable
no cdp enable
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip inspect animalcbac out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 7 <password>
ppp pap sent-username <username> password 7 <password>
crypto map animalmap
hold-queue 224 in
!
ip local pool animalpool1 10.10.1.1 10.10.1.254
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.104 25 <publicip> 25 extendable
ip nat inside source static tcp 192.168.1.104 80 <publicip> 80 extendable
ip nat inside source static tcp 192.168.1.104 443 <publicip> 443 extendable
ip nat inside source static tcp 192.168.1.22 80 <publicip> 80 extendable
ip nat inside source static tcp 192.168.1.22 407 <publicip> 407 extendable
ip nat inside source static tcp 192.168.1.22 22 <publicip> 22 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.16.0.0 255.255.0.0 192.168.77.100
ip route 192.168.0.0 255.255.0.0 192.168.77.100
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended protocol
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.1.104
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.15.1
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.30.1
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.250.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=17
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.30.1
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.15.1
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.1.104
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.0.0 0.0.255.255 10.250.1.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 102 deny ip 172.16.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit ip 10.10.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 deny ip any any
access-list 118 permit icmp any any
access-list 118 permit ip 10.10.1.0 0.0.0.255 any
access-list 118 permit tcp any any eq telnet
access-list 118 permit tcp any host 80.45.255.3 eq smtp
access-list 118 permit udp any host 80.40.252.66 eq isakmp
access-list 118 permit esp any host 80.40.252.66
access-list 151 deny ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.255.255 any
access-list 160 permit ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 160 permit ip 172.16.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 181 permit tcp host 192.168.1.104 any eq smtp
access-list 181 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 181 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 181 deny ip any any log
access-list 182 permit icmp any any
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq ftp
access-list 182 permit udp any any eq domain
access-list 182 permit tcp host 192.168.1.104 any eq smtp
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 182 deny ip any any log
access-list 182 deny ip host 255.255.255.255 any
access-list 182 deny ip 127.0.0.0 0.255.255.255 any
access-list 183 remark SDM_ACL Category=17
access-list 183 deny ip host 255.255.255.255 any
access-list 183 deny ip 127.0.0.0 0.255.255.255 any
access-list 185 permit tcp any host 80.40.252.66 eq telnet
access-list 185 permit tcp any host 80.45.255.3 eq smtp
access-list 185 permit icmp any any
access-list 185 permit esp any host 80.40.252.66
access-list 185 permit udp any host 80.40.252.66 eq isakmp
access-list 185 permit ip 10.0.0.0 0.0.0.255 any
access-list 191 permit ip host 192.168.1.104 10.10.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map nonat permit 10
match ip address 191
set ip next-hop 1.1.1.2
!
!
Have a main office (192.168.x.x, Cisco 1721, IOS 12.3) and a branch office (10.250.1.x, Linksys AG041), both connected to the web via ADSL.
Have setup a tunnel between the Cisco 1721 and the Linksys AG041 (I am based in UK if model is unfamiliar). After some playing, have got it to work, well the tunnel anyway. Both ends say the tunnel is up and happy, however I cannot seem to get any traffic to pass along the tunnel.
As I understand from reading various docs and scouring th web, I need to get the Cisco box to stop Natting traffic through the tunnel however am unsure as to how to do this. I tried using the SDM *test VPN* feature which seemed to scramble loads of settings and still not work. It seemed to get confused and send all data down the tunnel, rather than just the traffic meaning to go to 10.250.1.x.
I have attached the relevant areas of the IOS config file (think so, if more required, let me know).
Any help gratefully received, am rather confused and I just seem to be going around and around in circles
TIA
Dan
---Start of editted IOS file---
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 3
authentication pre-share
lifetime 3600
!
crypto isakmp policy 4
hash md5
authentication pre-share
lifetime 3600
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <password> address <linksys-public-ip> no-xauth
!
crypto isakmp client configuration group <username>
key <password>
dns 192.168.1.104
wins 192.168.1.104
domain <our local domainname>
pool animalpool1
acl 160
!
!
crypto ipsec transform-set remotevpn esp-3des esp-sha-hmac
crypto ipsec transform-set stores esp-3des esp-sha-hmac
!
crypto dynamic-map animalmap 1
set transform-set remotevpn
reverse-route
!
!
crypto map animalmap client authentication list userlist
crypto map animalmap isakmp authorization list grouplist
crypto map animalmap client configuration address respond
crypto map animalmap 1 ipsec-isakmp dynamic animalmap
crypto map animalmap 2 ipsec-isakmp
set peer <linksys-public-ip>
set transform-set stores
match address 100
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
atm vc-per-vp 65536
atm ilmi-keepalive
dsl operating-mode auto
crypto map animalmap
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description Connected to Animal LAN
ip address 192.168.77.200 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect animalcbac in
ip route-cache flow
ip policy route-map nonat
speed auto
full-duplex
ntp disable
no cdp enable
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip inspect animalcbac out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 7 <password>
ppp pap sent-username <username> password 7 <password>
crypto map animalmap
hold-queue 224 in
!
ip local pool animalpool1 10.10.1.1 10.10.1.254
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.104 25 <publicip> 25 extendable
ip nat inside source static tcp 192.168.1.104 80 <publicip> 80 extendable
ip nat inside source static tcp 192.168.1.104 443 <publicip> 443 extendable
ip nat inside source static tcp 192.168.1.22 80 <publicip> 80 extendable
ip nat inside source static tcp 192.168.1.22 407 <publicip> 407 extendable
ip nat inside source static tcp 192.168.1.22 22 <publicip> 22 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.16.0.0 255.255.0.0 192.168.77.100
ip route 192.168.0.0 255.255.0.0 192.168.77.100
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended protocol
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.1.104
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.15.1
access-list 100 permit ip 10.250.0.0 0.0.0.255 host 192.168.30.1
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.250.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=17
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.30.1
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.15.1
access-list 102 deny ip 10.250.0.0 0.0.0.255 host 192.168.1.104
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.0.0 0.0.255.255 10.250.1.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 102 deny ip 172.16.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit ip 10.10.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 deny ip any any
access-list 118 permit icmp any any
access-list 118 permit ip 10.10.1.0 0.0.0.255 any
access-list 118 permit tcp any any eq telnet
access-list 118 permit tcp any host 80.45.255.3 eq smtp
access-list 118 permit udp any host 80.40.252.66 eq isakmp
access-list 118 permit esp any host 80.40.252.66
access-list 151 deny ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.255.255 any
access-list 160 permit ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 160 permit ip 172.16.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 181 permit tcp host 192.168.1.104 any eq smtp
access-list 181 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 181 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 181 deny ip any any log
access-list 182 permit icmp any any
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq ftp
access-list 182 permit udp any any eq domain
access-list 182 permit tcp host 192.168.1.104 any eq smtp
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 182 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 182 deny ip any any log
access-list 182 deny ip host 255.255.255.255 any
access-list 182 deny ip 127.0.0.0 0.255.255.255 any
access-list 183 remark SDM_ACL Category=17
access-list 183 deny ip host 255.255.255.255 any
access-list 183 deny ip 127.0.0.0 0.255.255.255 any
access-list 185 permit tcp any host 80.40.252.66 eq telnet
access-list 185 permit tcp any host 80.45.255.3 eq smtp
access-list 185 permit icmp any any
access-list 185 permit esp any host 80.40.252.66
access-list 185 permit udp any host 80.40.252.66 eq isakmp
access-list 185 permit ip 10.0.0.0 0.0.0.255 any
access-list 191 permit ip host 192.168.1.104 10.10.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map nonat permit 10
match ip address 191
set ip next-hop 1.1.1.2
!
!
