ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
WadeG
New Member
Posts:
45
Joined:
Wed Mar 16, 2011 8:12 pm

IPSec site-to-site VPN behind PAT

Sat Jun 04, 2016 12:04 pm

So I have established literally, almost everything needed to build this IPSec site-to-site VPN behind two 2 Cisco PAT'd routers (881W and 819 routers running 15.6./15.2 code). I have a physical 881W in Korea and an 819 here in Arizona. I am overloading my IP's for now.

I have IKE Phase one and IKE phase 2 showing active. Crypto sessions on both ends are also UP-ACTIVE.

I know it has to be my ACLS but Im drawing a blank. Any help is appreciated. Last note, Korea can ping router Arizona, but router Arizona cannot ping router Korea (no ! ! ! ! ! ! !) Router B only decrypts packets and Router A only encrypts packets. Weird thing though, when the tunnels goes idle, a ping from router A will still wake things up on router B. Any thoughts?


Arizona:

version 15.6
hostname Arizona
logging monitor informational
enable password
!
aaa new-model
aaa session-id common
ethernet lmi ce
clock timezone Arizona -7 0
!
ip dhcp pool vlan1-pool
import all
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.10.10.1
!
ip domain name Wade
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated

chat-script cdma "" "atdt#777" TIMEOUT 60 "CONNECT"
username Wade privilege 15 password

controller Cellular 0
!

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 112.x.x.x
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map rtp 1 ipsec-isakmp
set peer 112.x.x.x
set transform-set rtpset
match address 115
!
!
interface Loopback0
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ntp broadcast client
!
interface Cellular0
no ip address
encapsulation ppp
dialer in-band
dialer string cdma
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map rtp
!
interface Serial0
no ip address
clock rate 2000000
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 120 interface GigabitEthernet0 overload
ip nat inside source route-map nonat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 70.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
route-map nonat permit 10
match ip address 110
!
access-list 110 deny ip 10.10.20.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 110 permit ip 10.10.20.0 0.0.0.255 any
access-list 115 permit ip 10.10.20.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
!
control-plane

mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
script dialer cdma
no exec
line vty 0 4
transport input telnet ssh
transport output telnet ssh
line vty 5 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp peer time.nist.gov
ntp server 10.10.10.1
!

end

Arizona#


Korea#

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Korea
!
boot-start-marker
boot-end-marker
!
!
logging console notifications
logging monitor notifications
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-3973598961
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3973598961
revocation-check none
rsakeypair TP-self-signed-3973598961
!
!
crypto pki certificate chain TP-self-signed-3973598961
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393733 35393839 3631301E 170D3136 30323034 31393034
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39373335
39383936 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009533 71A3902F 9D5D7F81 553320E6 8D0FDD9D D5CF7AA9 A2029540 1CE76FB2
D63C977D 89F57C86 70F519AB B7726415 9B6B9540 04F4A493 851A49A8 9FC7C01D
EDF238C7 138FCB49 762B5D7F B72D36CE A0CB3516 36D5F04E E3F15C08 D5B4DD36
03D37939 959E90BB 1EB98841 72A44793 75B3F259 3C1828C3 D63EE209 438F47C6
B4A90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142F4920 09ACF85E 90A9C99E 2DE25E87 CA8FACB5 2E301D06
03551D0E 04160414 2F492009 ACF85E90 A9C99E2D E25E87CA 8FACB52E 300D0609
2A864886 F70D0101 05050003 81810054 4D894650 FC9482D6 B3D9BECF BF771D98
CAF2C249 00F1078D 4851F43E 964FA16F BF8F1036 B2E0D201 0B7BD357 A1E0A48E
E37263C6 CB2FF3E8 0CD77A7B 65BEE9A9 A2D3E925 36267956 E5DEC006 C8C7329A
DE4DED4E 5FF0CAEB 8F875798 28DA34D8 E5AB8C37 E5123FD3 0B6F7D9B 9E38A5E5
2C76A5E7 2FE99574 5B8D160F 8E798A
quit
ip cef
!
ip dhcp pool vlan1-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8
!
ip dhcp pool Guest_Wireless
import all
network 10.10.30.0 255.255.255.0
dns-server 203.248.252.2
default-router 10.10.10.1
!
ip dhcp pool vlan40-pool
import all
network 10.10.40.0 255.255.255.0
dns-server 203.248.252.2
default-router 10.10.10.1
!
!
ip domain name Korea
ip name-server 203.248.252.2
no ipv6 cef
!
!
multilink bundle-name authenticate
!
username Alex privilege 15 password 0 $Cu8a
username Wade privilege 15 password 0 Freeflyer1!
!
ip ssh version 2
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 70.x.x.x
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!

!
crypto map rtp 1 ipsec-isakmp
set peer 70.x.x.x
set transform-set rtpset
match address 115
!
interface Loopback0
ip address 10.10.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 30
no ip address
!
interface FastEthernet4
ip address 112.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map rtp
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
no ip address
!
interface Vlan30
description
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 10.0.0.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 120 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 112..x.x.x
access-list 110 deny ip 10.10.40.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit ip 10.10.40.0 0.0.0.255 any
access-list 115 permit ip 10.10.40.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 120 permit ip 10.10.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
logging synchronous
login local
transport input all
line vty 5 15
logging synchronous
login
transport input all
!
scheduler allocate 20000 1000
ntp source FastEthernet4
ntp server 10.10.10.1
ntp peer time.nist.gov
!
end


Debug======================

Arizona#sh crypto ipsec sa

interface: GigabitEthernet0
Crypto map tag: rtp, local addr 70.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.40.0/255.255.255.0/0/0)
current_peer 112.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 70.x.x.x., remote crypto endpt.: 112.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x916A13B2(2439648178)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x9D88C6DB(2642986715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80004040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4197236/1454)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x916A13B2(2439648178)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80004040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4197235/1454)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

===================================================
Arizona#Arizona#sh crypto session
Crypto session current status

Interface: GigabitEthernet0
Session status: UP-ACTIVE
Peer: 112.x.x.x port 500
Session ID: 0
IKEv1 SA: local 70.x.x.x/500 remote 112.x.x.x/500 Active
IPSEC FLOW: permit ip 10.10.20.0/255.255.255.0 10.10.40.0/255.255.255.0


Active SAs: 2, origin: crypto map
===========================================================================
Korea#

Hapjeong#sh crypto ipsec sa

interface: FastEthernet4
Crypto map tag: rtp, local addr 112.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
current_peer 70.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 112.x.x.x, remote crypto endpt.: 70.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x9D88C6DB(2642986715)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x916A13B2(2439648178)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: Onboard VPN:17, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4370350/1512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x9D88C6DB(2642986715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: Onboard VPN:18, sibling_flags 80000040, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4370351/1512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Hapjeong#
Hapjeong# sh cry
Hapjeong# sh crypto ses
Hapjeong# sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 70.176.217.29 port 500
IKEv1 SA: local 112.x.x.x/500 remote 70.x.x.x/500 Active
IPSEC FLOW: permit ip 10.10.40.0/255.255.255.0 10.10.20.0/255.255.255.0
Active SAs: 2, origin: crypto map


FYI Access-lists 120 are for my local LAN traffic to be NAT;d from inside to outside. I aimed to give the crypto map process first Selection from the NAT process. Grateful for any help!

/w

'
Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 50 guests