VPN HUB to SPOKE topology

5 pts.
Tags:
Cisco 2800
Cisco 800
Cisco Routers
Hubs
VPN design
VPN Tunnel
Hi, I have with problem with configuration of hub to spoke VPN tunnel between two Cisco routers. Can you please tell, where is the fail? Here are my configs: Cisco 2800 (HUB): dot11 syslog

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.7.1 192.168.7.100

ip dhcp excluded-address 192.168.7.151 192.168.7.254

!

ip dhcp pool sdm-pool1

   network 192.168.7.0 255.255.255.0

   dns-server x.x.x.x

   default-router 192.168.7.100

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server x.x.x.x

ip name-server x.x.x.x

!

multilink bundle-name authenticated

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username merkur privilege 15 secret 5 $1$X7yF$hkWEPw0dMNTMGVGYpmdp9/

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxx address 94.112.245.x no-xauth

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto map ETH0 1 ipsec-isakmp

 set peer 94.112.245.x

 set transform-set 1cisco

 set pfs group2

 match address 180

!

archive

 log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

interface Loopback0

 no ip address

!

interface FastEthernet0/0

 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$$FW_OUTSIDE$

 ip address 94.112.251.x 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

 crypto map ETH0

!

interface FastEthernet0/1

 description $ES_LAN$$FW_INSIDE$

 ip address 192.168.7.100 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 94.112.245.x

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list LOCAL interface FastEthernet0/0 overload

!

ip access-list extended LOCAL

 deny   ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255

 permit ip 192.168.7.0 0.0.0.255 any

!

logging trap debugging

access-list 180 permit ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255

no cdp run

 

Cisco 800 (HUB):

 

 

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.0.1 172.16.0.100

!

ip dhcp pool LAN

   network 172.16.0.0 255.255.255.0

   default-router 172.16.0.1

   dns-server x.x.x.x

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server x.x.x.x

ip name-server x.x.x.x

!

!

!

username merkur privilege 15 secret 5 $1$20B4$4Hk66M6Pd/4KKAlIFio9M/

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxx address 94.112.251.x

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec security-association lifetime seconds 300

!

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto map ETH4 1 ipsec-isakmp

 set peer 94.112.251.x

 set transform-set 1cisco

 set pfs group2

 match address 180

!

archive

 log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description WAN

 ip address 10.0.0.30 255.255.255.0

 ip nat outside

 no ip virtual-reassembly

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 duplex auto

 speed auto

!

interface Vlan1

 description LAN

 ip address 172.16.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list LOCAL interface FastEthernet4 overload

!

ip access-list extended LOCAL

 deny   ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255

 permit ip 172.16.0.0 0.0.0.255 any

!

logging trap debugging

access-list 180 permit ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255

no cdp run

!

!

route-map nonat permit 10

 match ip address LOCAL



Software/Hardware used:
Cisco 2800 series, Cisco 871

Answer Wiki

Thanks. We'll let you know when a new response is added.

First problem – your Cisco 800 WAN IP is a 10.x.x.x – a Private IP – whereas your 2800 has a Public WAN IP. Are these two directly connected? (Figured they weren’t since you ARE setting up a VPN)

Pulled down your configs to clean em up a bit – will repost shortly…

———————————–
Part 2: Found a few issues with your configs:

Cisco 2800 Router –
You are using a Public IP on this routers Fa0/0, this parts fine:

interface FastEthernet0/0
description ETH-LAN ~ FW_OUTSIDE
ip address 94.112.251.x 255.255.255.248 (<- Let’s Call this WAN #1)
~ (omitted)
crypto map ETH0

And a private IP on your internal Interface – also ok:

interface FastEthernet0/1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.7.100 255.255.255.0 (<- Let’s Call this LAN #1)
~ (omitted)

There is a small issue on your Cisco 800:

You are using a Private IP on your “WAN” link – could be a problem:

interface FastEthernet4
description WAN
ip address<b> 10.0.0.30 </b>255.255.255.0 (<- Lets call this WAN #2)
ip nat outside
~ (omitted)

ISPs <b>WILL NOT </b>route an RFC 1918 address (private IP) across ANY WAN link. For a VPN, it is best to have a <b>Public</b> (static if possible) WAN IP.

Next, there is no configured PHYSICAL port for LAN #2:
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3

interface Vlan1
description LAN
ip address 172.16.0.1 255.255.255.0 (<- Let’s cal this LAN #2)
ip nat inside

The VLAN interface is fine for internal management, but without a PHYSICAL link to the LAN, traffic from, say, an attached switch will never reach the router. That config would work much better on either Fa0, 1, 2 or 3

Once the IP addresses are taken care of, there is an immediate question about your ACLs:

On the Cisco 2800:
ip nat inside source list LOCAL interface FastEthernet0/0 overload

ip access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255 (<- ??)
<b>(This line keeps LAN #1 from EVER reaching LAN #2)</b>
permit ip 192.168.7.0 0.0.0.255 any (<- Seems ok)

same with your Cisco 800:
ip nat inside source list LOCAL interface FastEthernet4 overload

ip access-list extended LOCAL
deny ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255 (<- ??)
<b>(This line keeps LAN #2 from EVER reaching LAN #1)</b>
permit ip 172.16.0.0 0.0.0.255 any (<- Seems OK)

With the ACLs in place, the LANs will NEVER cross-talk, thus negating the point to having a VPN in the first place.

Best Suggestions:

1) Get a Public WAN IP on the 800’s “WAN” interface
2) Put the LAN #2 config on a PHYSICAL port on your 800
3) Remove or alter the “LOCAL” ACL on both routers – even IF you connect with a VPN, the two LANS will NEVER talk to each other, again making your VPN pointless

Great resource is Cisco.com to further assist you…

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following