[nsp] vpn+nat stumped

From: Ray Davis (ray@carpe.net)
Date: Tue Jan 23 2001 - 16:04:27 EST

Hi,

I have a slightly ugly vpn configuration I'm trying to get working
and it's either impossible or I'm missing the obvious. One end of
the vpn is a 192.168.9.0/24 lan, the other a 192.168.9.240/28 lan.
(yes, end B is a subnet of end A :/)

Below are the layout and both router configs. Machines on both sides
are not able to talk to each other. Anyone have a clue?

Thanks,
Ray

=== The layout ...

    |----- Remote Office LAN 192.168.9.240 /28 ----------------------------|
         | | | |
         | | | |
         | | | |
         | HOST1 HOST2 HOST3
         | 192.168.9.242 192.168.9.243 192.168.9.244
         |
         |
    192.168.9.241 /28
    remote-dialup (1603)
    123.123.140.1 /28
         |
         |
       (isdn)
         |
         |
    dialup-router
         |
         |
     (internet)
         |
         |
    123.123.123.102 /24
    vpn-gateway
    192.168.9.18 /24
         |
         |
    |----- Office Internal LAN 192.168.9.0 /24 ----------------------------|
                                   | | |
                                   | | |
                                   | | |
                              192.168.9.3 192.168.9.2 192.168.9.1
                                 HOST-A HOST-B INTRA-GW
                                                                     |
                                                                     |
                                                                     |
                                                             (intranet:
                                                              - 10.*.*.*
                                                              - 192.168.*.*)

=== The config of "remote-dialup" ...

! Cisco 1603 / 12.1(6) / c1600-sy56i-mz.121-6.bin
!
version 12.1
service timestamps debug datetime show-timezone
service timestamps log datetime show-timezone
service password-encryption
!
hostname remote-dialup
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip source-route
no ip finger
ip domain-name debug.net
ip name-server 123.123.123.140
ip name-server 123.123.120.135
!
isdn switch-type basic-net3
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key blabla address 123.123.123.102
!
!
crypto ipsec transform-set ch-vpn-set ah-sha-hmac esp-des esp-sha-hmac
!
crypto map ch-vpn local-address Dialer1
crypto map ch-vpn 1 ipsec-isakmp
 set peer 123.123.123.102
 set transform-set ch-vpn-set
 match address 100
!
!
!
!
interface Ethernet0
 description Remote Office LAN 192.168.9.241_28
 ip address 192.168.9.241 255.255.255.240
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 no keepalive
 no cdp enable
!
interface BRI0
 description ISDN dialup to Internet
 no ip address
 ip nat outside
 encapsulation ppp
 dialer rotary-group 1
 isdn switch-type basic-net3
 no cdp enable
 crypto map ch-vpn
!
interface Dialer1
 description connected to Internet
 ip address 123.123.140.1 255.255.255.240
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip split-horizon
 no ip mroute-cache
 dialer in-band
 dialer string 0123456789
 dialer hold-queue 10
 dialer load-threshold 10 outbound
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname remoteuser
 ppp chap password 7 XXXXXXXXXXXXXXX
 ppp pap sent-username remoteuser password 7 XXXXXXXXXXXXXXX
 ppp multilink
 crypto map ch-vpn
!
router rip
 version 2
 passive-interface Dialer1
 network 192.168.9.0
 no auto-summary
!
ip nat inside source static 192.168.9.253 123.123.140.13
ip nat inside source static 192.168.9.252 123.123.140.12
ip nat inside source static 192.168.9.251 123.123.140.11
ip nat inside source static 192.168.9.250 123.123.140.10
ip nat inside source static 192.168.9.249 123.123.140.9
ip nat inside source static 192.168.9.248 123.123.140.8
ip nat inside source static 192.168.9.247 123.123.140.7
ip nat inside source static 192.168.9.246 123.123.140.6
ip nat inside source static 192.168.9.245 123.123.140.5
ip nat inside source static 192.168.9.244 123.123.140.4
ip nat inside source static 192.168.9.254 123.123.140.14
ip nat inside source static 192.168.9.243 123.123.140.3
ip nat inside source static 192.168.9.242 123.123.140.2
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 Dialer1
ip route 192.168.0.0 255.255.0.0 Dialer1
no ip http server
!
access-list 100 permit ip 192.168.9.240 0.0.0.15 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.9.240 0.0.0.15 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXXXXXXX
 login
 transport input none
 escape-character 27
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXXXXXXXXXX
 login
 escape-character 27
!
end

=== The config of "remote-dialup" ...

! Cisco 2621 / 12.1(5) / c2600-is56i-mz.121-5.bin
!
version 12.1
service timestamps debug datetime show-timezone
service timestamps log datetime show-timezone
service password-encryption
!
hostname vpn-gateway
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip source-route
no ip finger
ip domain-name debug.net
ip name-server 123.123.123.140
ip name-server 123.123.120.135
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key blabla address 123.123.140.1
!
!
crypto ipsec transform-set ch-vpn-set ah-sha-hmac esp-des esp-sha-hmac
!
crypto map ch-vpn local-address FastEthernet0/1
crypto map ch-vpn 1 ipsec-isakmp
 set peer 123.123.140.1
 set transform-set ch-vpn-set
 match address 100
!
!
!
!
!
!
!
interface FastEthernet0/0
 description connected to Office Internal LAN 192.168.9.0_24
 ip address 192.168.9.18 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description connected to Internet LAN 123.123.123.0_24
 ip address 123.123.123.102 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map ch-vpn
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.9.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 123.123.123.101
ip route 10.0.0.0 255.0.0.0 192.168.9.1
ip route 192.168.0.0 255.255.0.0 192.168.9.1
no ip http server
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.9.240 0.0.0.15
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.9.240 0.0.0.15
arp 192.168.9.241 0003.e369.27c0 ARPA alias
arp 192.168.9.243 0003.e369.27c0 ARPA alias
arp 192.168.9.242 0003.e369.27c0 ARPA alias
arp 192.168.9.245 0003.e369.27c0 ARPA alias
arp 192.168.9.244 0003.e369.27c0 ARPA alias
arp 192.168.9.247 0003.e369.27c0 ARPA alias
arp 192.168.9.246 0003.e369.27c0 ARPA alias
arp 192.168.9.249 0003.e369.27c0 ARPA alias
arp 192.168.9.248 0003.e369.27c0 ARPA alias
arp 192.168.9.251 0003.e369.27c0 ARPA alias
arp 192.168.9.250 0003.e369.27c0 ARPA alias
arp 192.168.9.253 0003.e369.27c0 ARPA alias
arp 192.168.9.252 0003.e369.27c0 ARPA alias
arp 192.168.9.254 0003.e369.27c0 ARPA alias
no cdp run
!
line con 0
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXXXXXXX
 login
 transport input none
 escape-character 27
line aux 0
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXXXXXXX
 login
 escape-character 27
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXXXXXXXXXX
 login
 escape-character 27
!
no scheduler allocate
end

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:26 EDT