Home > IT Answers > Networking > VPN HUB to SPOKE topology
Xpolp32
5 pts.
 VPN HUB to SPOKE topology
Cisco 2800, Cisco 800, Cisco Routers, Hub and Spoke, VPN design, VPN Tunnel
Hi, I have with problem with configuration of hub to spoke VPN tunnel between two Cisco routers. Can you please tell, where is the fail? Here are my configs: Cisco 2800 (HUB): dot11 syslog

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.7.1 192.168.7.100

ip dhcp excluded-address 192.168.7.151 192.168.7.254

!

ip dhcp pool sdm-pool1

   network 192.168.7.0 255.255.255.0

   dns-server x.x.x.x

   default-router 192.168.7.100

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server x.x.x.x

ip name-server x.x.x.x

!

multilink bundle-name authenticated

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username merkur privilege 15 secret 5 $1$X7yF$hkWEPw0dMNTMGVGYpmdp9/

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxx address 94.112.245.x no-xauth

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto map ETH0 1 ipsec-isakmp

 set peer 94.112.245.x

 set transform-set 1cisco

 set pfs group2

 match address 180

!

archive

 log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

interface Loopback0

 no ip address

!

interface FastEthernet0/0

 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$$FW_OUTSIDE$

 ip address 94.112.251.x 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

 crypto map ETH0

!

interface FastEthernet0/1

 description $ES_LAN$$FW_INSIDE$

 ip address 192.168.7.100 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 94.112.245.x

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list LOCAL interface FastEthernet0/0 overload

!

ip access-list extended LOCAL

 deny   ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255

 permit ip 192.168.7.0 0.0.0.255 any

!

logging trap debugging

access-list 180 permit ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255

no cdp run

 

Cisco 800 (HUB):

 

 

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.0.1 172.16.0.100

!

ip dhcp pool LAN

   network 172.16.0.0 255.255.255.0

   default-router 172.16.0.1

   dns-server x.x.x.x

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server x.x.x.x

ip name-server x.x.x.x

!

!

!

username merkur privilege 15 secret 5 $1$20B4$4Hk66M6Pd/4KKAlIFio9M/

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxx address 94.112.251.x

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec security-association lifetime seconds 300

!

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto map ETH4 1 ipsec-isakmp

 set peer 94.112.251.x

 set transform-set 1cisco

 set pfs group2

 match address 180

!

archive

 log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description WAN

 ip address 10.0.0.30 255.255.255.0

 ip nat outside

 no ip virtual-reassembly

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 duplex auto

 speed auto

!

interface Vlan1

 description LAN

 ip address 172.16.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list LOCAL interface FastEthernet4 overload

!

ip access-list extended LOCAL

 deny   ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255

 permit ip 172.16.0.0 0.0.0.255 any

!

logging trap debugging

access-list 180 permit ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255

no cdp run

!

!

route-map nonat permit 10

 match ip address LOCAL



Software/Hardware used:
Cisco 2800 series, Cisco 871
ASKED: March 29, 2011  11:25 AM
UPDATED: March 29, 2011  2:18 PM
RELATED QUESTIONS
Answer Wiki:
First problem - your Cisco 800 WAN IP is a 10.x.x.x - a Private IP - whereas your 2800 has a Public WAN IP. Are these two directly connected? (Figured they weren't since you ARE setting up a VPN) Pulled down your configs to clean em up a bit - will repost shortly... ----------------------------------- Part 2: Found a few issues with your configs: Cisco 2800 Router - You are using a Public IP on this routers Fa0/0, this parts fine: interface FastEthernet0/0 description ETH-LAN ~ FW_OUTSIDE ip address 94.112.251.x 255.255.255.248 (<- Let's Call this WAN #1) ~ (omitted) crypto map ETH0 And a private IP on your internal Interface - also ok: interface FastEthernet0/1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.7.100 255.255.255.0 (<- Let's Call this LAN #1) ~ (omitted) There is a small issue on your Cisco 800: You are using a Private IP on your "WAN" link - could be a problem: interface FastEthernet4 description WAN ip address<b> 10.0.0.30 </b>255.255.255.0 (<- Lets call this WAN #2) ip nat outside ~ (omitted) ISPs <b>WILL NOT </b>route an RFC 1918 address (private IP) across ANY WAN link. For a VPN, it is best to have a <b>Public</b> (static if possible) WAN IP. Next, there is no configured PHYSICAL port for LAN #2: interface FastEthernet0 interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 interface Vlan1 description LAN ip address 172.16.0.1 255.255.255.0 (<- Let's cal this LAN #2) ip nat inside The VLAN interface is fine for internal management, but without a PHYSICAL link to the LAN, traffic from, say, an attached switch will never reach the router. That config would work much better on either Fa0, 1, 2 or 3 Once the IP addresses are taken care of, there is an immediate question about your ACLs: On the Cisco 2800: ip nat inside source list LOCAL interface FastEthernet0/0 overload ip access-list extended LOCAL deny ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.0.255 (<- ??) <b>(This line keeps LAN #1 from EVER reaching LAN #2)</b> permit ip 192.168.7.0 0.0.0.255 any (<- Seems ok) same with your Cisco 800: ip nat inside source list LOCAL interface FastEthernet4 overload ip access-list extended LOCAL deny ip 172.16.0.0 0.0.0.255 192.168.7.0 0.0.0.255 (<- ??) <b>(This line keeps LAN #2 from EVER reaching LAN #1)</b> permit ip 172.16.0.0 0.0.0.255 any (<- Seems OK) With the ACLs in place, the LANs will NEVER cross-talk, thus negating the point to having a VPN in the first place. Best Suggestions: 1) Get a Public WAN IP on the 800's "WAN" interface 2) Put the LAN #2 config on a PHYSICAL port on your 800 3) Remove or alter the "LOCAL" ACL on both routers - even IF you connect with a VPN, the two LANS will NEVER talk to each other, again making your VPN pointless Great resource is Cisco.com to further assist you...
Last Wiki Answer Submitted:  June 11, 2013  3:51 pm  by  Michael Tidmarsh   14,000 pts.
All Answer Wiki Contributors:  Michael Tidmarsh   14,000 pts. , Sixball   8,500 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _