Bob007
Prince Among Men
- Joined
- Dec 22, 2003
- Messages
- 585
I am trying to set up a VPN link between 2 Cisco 877 routers. I will post the configs below. But as you can guess, due to me posting, it is not working.
Scenario is as follows.
HostA_Puter needs to connect oa service on HostB_Puter.
They are 1000 miles apart.
HostA_Puter 192.168.1.34 Plugs into switch at 192.168.1.1
HostB_Puter 192.168.100.148 plugs into switch at 192.168.100.1
HostA Switch has a public ip of 1.0.0.35
Hostb Switch has a public ip of 2.0.0.85
All IP's have been changed to protect the innocent and my job
Any help, input, stf bob would be greatfull
Thanks in advanced.
HostA Config
HostB Config
Scenario is as follows.
HostA_Puter needs to connect oa service on HostB_Puter.
They are 1000 miles apart.
HostA_Puter 192.168.1.34 Plugs into switch at 192.168.1.1
HostB_Puter 192.168.100.148 plugs into switch at 192.168.100.1
HostA Switch has a public ip of 1.0.0.35
Hostb Switch has a public ip of 2.0.0.85
All IP's have been changed to protect the innocent and my job
Any help, input, stf bob would be greatfull
Thanks in advanced.
HostA Config
Code:
enable password Password
Enable secret S3cret
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostA_SiteToSite
ip domain-name HostA.com
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
username HostAUser privilege 15 secret 0 S3cret
!
line vty 0 4
password S3cret
access-class 99 in
privilege level 15
transport input ssh
transport output none
!
!
!
crypto isakmp policy 1
encr aes 256
hash SHA
authentication pre-share
group 5
lifetime 86400
crypto isakmp key PreSharedKey address 2.0.0.85 no-xauth
!
!
crypto ipsec transform-set Site-to-Site ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map HostA_SiteToSite.HostA.com 1 ipsec-isakmp
set peer 2.0.0.85
set transform-set Site-to-Site
match address 111
set Security-association lifetime seconds 28800
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 2
no shutdown
!
interface FastEthernet1
switchport access vlan 3
no shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 1.0.0.35 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly
crypto map HostA_SiteToSite.HostA.com
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 192.168.100.148 255.255.255.255 Vlan2 permanent
ip route 2.0.0.85 255.255.255.255 Vlan2 permanent
!
!
ip http server
no ip http secure-server
ip nat inside source route-map HostA_ROUTE interface Vlan2 overload
!
ip access-list extended NAT_INTERNET
remark HostA_ACL Category=16
deny tcp host 192.168.1.34 host 192.168.100.148 eq 22 log
permit ip host 192.168.1.34 any
!
!
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 100 remark HostA_ACL Category=17
access-list 100 permit udp host 2.0.0.85 host 1.0.0.35 eq non500-isakmp
access-list 100 permit udp host 2.0.0.85 host 1.0.0.35 eq isakmp
access-list 100 permit esp host 2.0.0.85 host 1.0.0.35
access-list 100 permit ahp host 2.0.0.85 host 1.0.0.35
access-list 100 permit tcp host 192.168.100.148 eq 22 host 192.168.1.34 log
access-list 100 permit udp host 2.0.0.85 any eq non500-isakmp
access-list 100 permit udp host 2.0.0.85 any eq isakmp
access-list 100 permit esp host 2.0.0.85 any
access-list 100 permit ahp host 2.0.0.85 any
access-list 100 permit udp any host 1.0.0.35 eq non500-isakmp
access-list 100 permit udp any host 1.0.0.35 eq isakmp
access-list 100 permit esp any host 1.0.0.35
access-list 100 permit ahp any host 1.0.0.35
access-list 100 deny ip any any log
access-list 101 permit tcp host 192.168.1.34 host 192.168.100.148 eq 22 log
access-list 111 remark HostA_ACL Category=20
access-list 111 permit tcp host 192.168.1.34 host 192.168.100.148 eq 22 log
!
!
!
route-map HostA_ROUTE permit 1
match ip address NAT_INTERNETHostB Config
Code:
enable password Password
Enable secret S3cret
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HostB_SiteToSite
ip domain-name HostB.com
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
username HostBUser privilege 15 secret 0 S3cret
!
line vty 0 4
password Secr3t
access-class 99 in
privilege level 15
transport input ssh
transport output none
!
!
!
crypto key generate rsa general-keys modulus 2048 exportable
!
crypto isakmp policy 1
encr aes 256
hash SHA
authentication pre-share
group 5
lifetime 86400
crypto isakmp key PreSharedKey address 1.0.0.35 no-xauth
!
!
crypto ipsec transform-set Site-to-Site ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map HostB_SiteToSite.HostB.com 1 ipsec-isakmp
set peer 1.0.0.35
set transform-set Site-to-Site
match address 111
set Security-association lifetime seconds 28800
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 2
no shutdown
!
interface FastEthernet1
switchport access vlan 3
no shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 2.0.0.85 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly
crypto map HostB_SiteToSite.HostB.com
!
interface Vlan3
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 1.0.0.35 255.255.255.255 Vlan2 permanent
ip route 192.168.1.34 255.255.255.255 Vlan2 permanent
!
!
ip http server
no ip http secure-server
ip nat inside source route-map HostB_ROUTE interface Vlan2 overload
!
ip access-list extended NAT_INTERNET
remark IE_ACL Category=16
deny tcp host 192.168.100.148 host 192.168.1.34 eq 22 log
permit ip host 192.168.100.148 any
!
!
access-list 99 permit 192.168.100.0 0.0.0.255
access-list 100 remark HostB_ACL Category=17
access-list 100 permit udp host 1.0.0.35 host 2.0.0.85 eq non500-isakmp
access-list 100 permit udp host 11.0.0.35 host 2.0.0.85 eq isakmp
access-list 100 permit esp host 1.0.0.35 host 2.0.0.85
access-list 100 permit ahp host 1.0.0.35 host 2.0.0.85
access-list 100 permit tcp host 192.168.1.34 eq 22 host 192.168.100.148 log
access-list 100 permit udp host 1.0.0.35 any eq non500-isakmp
access-list 100 permit udp host 1.0.0.35 any eq isakmp
access-list 100 permit esp host 1.0.0.35 any
access-list 100 permit ahp host 1.0.0.35 any
access-list 100 permit udp any host 2.0.0.85 eq non500-isakmp
access-list 100 permit udp any host 2.0.0.85 eq isakmp
access-list 100 permit esp any host 2.0.0.85
access-list 100 permit ahp any host 2.0.0.85
access-list 100 deny ip any any log
access-list 101 permit tcp host 192.168.100.148 host 192.168.1.34 eq 22 log
access-list 111 remark HostB_ACL Category=20
access-list 111 permit tcp host 192.168.100.148 host 192.168.1.34 eq 22 log
!
!
!
route-map HostB_ROUTE permit 1
match ip address NAT_INTERNET