Re: [nsp] vpn+nat stumped

From: Ray Davis (ray@carpe.net)
Date: Wed Jan 24 2001 - 05:57:29 EST

Next message: lists: "Re: [nsp] RPF question...(followup from cisco)"
Previous message: George Robbins: "Re: [nsp] vpn+nat stumped"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

> you're right about one thing, it is a very ugly config ...
> I belive it will work, but then you'll need a static route to the
> 192.168.9.240/28 subnet on every host on the 192.168.9.240/24
> you want to be able to reach the first subnet. If they don't have that
> route, they will send all traffic out on the local network, and not to
> the router.

This is what these are for:

    arp 192.168.9.241 0003.e369.27c0 ARPA alias
    arp 192.168.9.242 0003.e369.27c0 ARPA alias
    arp 192.168.9.243 0003.e369.27c0 ARPA alias
      .
      .

What I'm not sure about is if the router where these are installed
thinks he *is* these addresses or if he will still send them across
the vpn. The INTRA-GW router in my drawing does see these and will
send packets for 192.168.9.242, for example, to the vpn router - but
they don't seem to cause the vpn to be built.

> I suggest you take in use another 192.168.x.x network.

I would if I could, but the customer says they can't "for political
reasons". ;/

Would it be better to get rid of the arp alias entries and add the
192.168.9.240/28 route on the necessary hosts?

Thanks,
Ray
>
>> Hi,
>>
>> I have a slightly ugly vpn configuration I'm trying to get working
>> and it's either impossible or I'm missing the obvious. One end of
>> the vpn is a 192.168.9.0/24 lan, the other a 192.168.9.240/28 lan.
>> (yes, end B is a subnet of end A :/)
>>
>> Below are the layout and both router configs. Machines on both sides
>> are not able to talk to each other. Anyone have a clue?
>>
>> Thanks,
>> Ray
>>
>> === The layout ...
>>
>> |----- Remote Office LAN 192.168.9.240 /28 ----------------------------|
>> | | | |
>> | | | |
>> | | | |
>> | HOST1 HOST2 HOST3
>> | 192.168.9.242 192.168.9.243 192.168.9.244
>> |
>> |
>> 192.168.9.241 /28
>> remote-dialup (1603)
>> 123.123.140.1 /28
>> |
>> |
>> (isdn)
>> |
>> |
>> dialup-router
>> |
>> |
>> (internet)
>> |
>> |
>> 123.123.123.102 /24
>> vpn-gateway
>> 192.168.9.18 /24
>> |
>> |
>> |----- Office Internal LAN 192.168.9.0 /24 ----------------------------|
>> | | |
>> | | |
>> | | |
>> 192.168.9.3 192.168.9.2 192.168.9.1
>> HOST-A HOST-B INTRA-GW
>> |
>> |
>> |
>> (intranet:
>> - 10.*.*.*
>> - 192.168.*.*)
>>
>>
>> === The config of "remote-dialup" ...
>>
>> ! Cisco 1603 / 12.1(6) / c1600-sy56i-mz.121-6.bin
>> !
>> version 12.1
>> service timestamps debug datetime show-timezone
>> service timestamps log datetime show-timezone
>> service password-encryption
>> !
>> hostname remote-dialup
>> !
>> logging buffered 4096 debugging
>> enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> !
>> !
>> !
>> !
>> !
>> clock timezone CET 1
>> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
>> ip subnet-zero
>> no ip source-route
>> no ip finger
>> ip domain-name debug.net
>> ip name-server 123.123.123.140
>> ip name-server 123.123.120.135
>> !
>> isdn switch-type basic-net3
>> !
>> !
>> crypto isakmp policy 1
>> authentication pre-share
>> crypto isakmp key blabla address 123.123.123.102
>> !
>> !
>> crypto ipsec transform-set ch-vpn-set ah-sha-hmac esp-des esp-sha-hmac
>> !
>> crypto map ch-vpn local-address Dialer1
>> crypto map ch-vpn 1 ipsec-isakmp
>> set peer 123.123.123.102
>> set transform-set ch-vpn-set
>> match address 100
>> !
>> !
>> !
>> !
>> interface Ethernet0
>> description Remote Office LAN 192.168.9.241_28
>> ip address 192.168.9.241 255.255.255.240
>> ip nat inside
>> no ip route-cache
>> no ip mroute-cache
>> no keepalive
>> no cdp enable
>> !
>> interface BRI0
>> description ISDN dialup to Internet
>> no ip address
>> ip nat outside
>> encapsulation ppp
>> dialer rotary-group 1
>> isdn switch-type basic-net3
>> no cdp enable
>> crypto map ch-vpn
>> !
>> interface Dialer1
>> description connected to Internet
>> ip address 123.123.140.1 255.255.255.240
>> ip nat outside
>> encapsulation ppp
>> no ip route-cache
>> no ip split-horizon
>> no ip mroute-cache
>> dialer in-band
>> dialer string 0123456789
>> dialer hold-queue 10
>> dialer load-threshold 10 outbound
>> dialer-group 1
>> no cdp enable
>> ppp authentication chap pap callin
>> ppp chap hostname remoteuser
>> ppp chap password 7 XXXXXXXXXXXXXXX
>> ppp pap sent-username remoteuser password 7 XXXXXXXXXXXXXXX
>> ppp multilink
>> crypto map ch-vpn
>> !
>> router rip
>> version 2
>> passive-interface Dialer1
>> network 192.168.9.0
>> no auto-summary
>> !
>> ip nat inside source static 192.168.9.253 123.123.140.13
>> ip nat inside source static 192.168.9.252 123.123.140.12
>> ip nat inside source static 192.168.9.251 123.123.140.11
>> ip nat inside source static 192.168.9.250 123.123.140.10
>> ip nat inside source static 192.168.9.249 123.123.140.9
>> ip nat inside source static 192.168.9.248 123.123.140.8
>> ip nat inside source static 192.168.9.247 123.123.140.7
>> ip nat inside source static 192.168.9.246 123.123.140.6
>> ip nat inside source static 192.168.9.245 123.123.140.5
>> ip nat inside source static 192.168.9.244 123.123.140.4
>> ip nat inside source static 192.168.9.254 123.123.140.14
>> ip nat inside source static 192.168.9.243 123.123.140.3
>> ip nat inside source static 192.168.9.242 123.123.140.2
>> ip classless
>> ip route 0.0.0.0 0.0.0.0 Dialer1
>> ip route 10.0.0.0 255.0.0.0 Dialer1
>> ip route 192.168.0.0 255.255.0.0 Dialer1
>> no ip http server
>> !
>> access-list 100 permit ip 192.168.9.240 0.0.0.15 192.168.0.0 0.0.255.255
>> access-list 100 permit ip 192.168.9.240 0.0.0.15 10.0.0.0 0.255.255.255
>> dialer-list 1 protocol ip permit
>> no cdp run
>> !
>> line con 0
>> exec-timeout 0 0
>> password 7 XXXXXXXXXXXXXXXXXXXX
>> login
>> transport input none
>> escape-character 27
>> line vty 0 4
>> exec-timeout 60 0
>> password 7 XXXXXXXXXXXXXXXXXXXX
>> login
>> escape-character 27
>> !
>> end
>>
>>
>> === The config of "vpn-gateway" ...
>>
>> ! Cisco 2621 / 12.1(5) / c2600-is56i-mz.121-5.bin
>> !
>> version 12.1
>> service timestamps debug datetime show-timezone
>> service timestamps log datetime show-timezone
>> service password-encryption
>> !
>> hostname vpn-gateway
>> !
>> logging buffered 4096 debugging
>> enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> !
>> !
>> !
>> !
>> !
>> clock timezone CET 1
>> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
>> ip subnet-zero
>> no ip source-route
>> no ip finger
>> ip domain-name debug.net
>> ip name-server 123.123.123.140
>> ip name-server 123.123.120.135
>> !
>> !
>> !
>> crypto isakmp policy 1
>> authentication pre-share
>> crypto isakmp key blabla address 123.123.140.1
>> !
>> !
>> crypto ipsec transform-set ch-vpn-set ah-sha-hmac esp-des esp-sha-hmac
>> !
>> crypto map ch-vpn local-address FastEthernet0/1
>> crypto map ch-vpn 1 ipsec-isakmp
>> set peer 123.123.140.1
>> set transform-set ch-vpn-set
>> match address 100
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> interface FastEthernet0/0
>> description connected to Office Internal LAN 192.168.9.0_24
>> ip address 192.168.9.18 255.255.255.0
>> no ip route-cache
>> no ip mroute-cache
>> speed auto
>> full-duplex
>> no cdp enable
>> !
>> interface FastEthernet0/1
>> description connected to Internet LAN 123.123.123.0_24
>> ip address 123.123.123.102 255.255.255.0
>> no ip unreachables
>> no ip proxy-arp
>> no ip route-cache
>> no ip mroute-cache
>> duplex auto
>> speed auto
>> no cdp enable
>> crypto map ch-vpn
>> !
>> router rip
>> version 2
>> passive-interface FastEthernet0/1
>> network 192.168.9.0
>> no auto-summary
>> !
>> ip classless
>> ip route 0.0.0.0 0.0.0.0 123.123.123.101
>> ip route 10.0.0.0 255.0.0.0 192.168.9.1
>> ip route 192.168.0.0 255.255.0.0 192.168.9.1
>> no ip http server
>> !
>> access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.9.240 0.0.0.15
>> access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.9.240 0.0.0.15
>> arp 192.168.9.241 0003.e369.27c0 ARPA alias
>> arp 192.168.9.243 0003.e369.27c0 ARPA alias
>> arp 192.168.9.242 0003.e369.27c0 ARPA alias
>> arp 192.168.9.245 0003.e369.27c0 ARPA alias
>> arp 192.168.9.244 0003.e369.27c0 ARPA alias
>> arp 192.168.9.247 0003.e369.27c0 ARPA alias
>> arp 192.168.9.246 0003.e369.27c0 ARPA alias
>> arp 192.168.9.249 0003.e369.27c0 ARPA alias
>> arp 192.168.9.248 0003.e369.27c0 ARPA alias
>> arp 192.168.9.251 0003.e369.27c0 ARPA alias
>> arp 192.168.9.250 0003.e369.27c0 ARPA alias
>> arp 192.168.9.253 0003.e369.27c0 ARPA alias
>> arp 192.168.9.252 0003.e369.27c0 ARPA alias
>> arp 192.168.9.254 0003.e369.27c0 ARPA alias
>> no cdp run
>> !
>> line con 0
>> exec-timeout 0 0
>> password 7 XXXXXXXXXXXXXXXXXXXX
>> login
>> transport input none
>> escape-character 27
>> line aux 0
>> exec-timeout 0 0
>> password 7 XXXXXXXXXXXXXXXXXXXX
>> login
>> escape-character 27
>> line vty 0 4
>> exec-timeout 60 0
>> password 7 XXXXXXXXXXXXXXXXXXXX
>> login
>> escape-character 27
>> !
>> no scheduler allocate
>> end
>>

Next message: lists: "Re: [nsp] RPF question...(followup from cisco)"
Previous message: George Robbins: "Re: [nsp] vpn+nat stumped"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:26 EDT