Cisco – Traffic from route-map to crypto-map

ciscoroutingvpn

This is sort of an offshoot of my previous question Ipsec vpn, phase 2 unable to come up. The VPN is up and working but now I'm having an issue with getting the right traffic across it.

The only thing I want to go across it is port 80 traffic. I was looking at the Cisco doc Configuring Tunnel Default Gateway Implementations and was working off of that. I removed the traffic from NAT, that part works. I created a route-map to see that traffic and set a next hop of the remote vpn endpoint. I can see the route-map being hit so it's seeing the traffic. I must be missing something though.

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key ******** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
!
!
crypto map IOFVPN 1 ipsec-isakmp 
 description Isle Of Man
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address 154
!
!
!
!
interface FastEthernet0/0
 description Internal 192 Network
 ip address 192.168.30.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1
 ip address dhcp
 ip access-group 112 in
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 ip policy route-map VPN_WEB
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map IOFVPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 174.59.28.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.30.200 9443 interface FastEthernet0/1 9443
ip nat inside source static tcp 192.168.30.105 5901 interface FastEthernet0/1 5901
ip nat inside source static udp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static udp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static tcp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static tcp 192.168.30.13 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.13 80 interface FastEthernet0/1 80
ip nat inside source route-map POLICY-NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.30.20 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.30.60 443 interface FastEthernet0/1 443
!
ip access-list extended NAT
 deny   tcp 192.168.30.0 0.0.0.255 any eq www log
 deny   ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
!

access-list 112 remark Explicit accept and deny
access-list 112 deny   udp any any eq snmp
access-list 112 deny   ip host 50.17.67.227 any
access-list 112 deny   ip host 1.93.27.33 any
access-list 112 deny   tcp any any eq telnet
access-list 112 permit tcp host 37.235.50.117 any eq ftp log
access-list 112 permit tcp host 5.255.80.84 any eq ftp log
access-list 112 permit tcp host 66.228.62.226 any eq ftp log
access-list 112 permit tcp host 72.25.5.126 any eq 5901 log
access-list 112 permit tcp host 72.25.5.126 any eq 11111 log
access-list 112 permit tcp host 72.25.5.126 any eq 8000 log
access-list 112 deny   tcp any any eq ftp log
access-list 112 deny   tcp any any eq 3389 log
access-list 112 deny   tcp any any eq 5901 log
access-list 112 deny   tcp any any eq 11111
access-list 112 deny   tcp any any eq 8000
access-list 112 permit ip any any

access-list 154 permit ip 192.168.30.0 0.0.0.255 host 2.2.2.2
access-list 155 permit tcp any any eq www

snmp-server community public RO
no cdp run
!
route-map VPN_WEB permit 1
 match ip address 155
 set ip next-hop 2.2.2.2
!
route-map POLICY-NAT permit 10
 match ip address NAT

In my mind the route-map sees it, changes the next hop, which should then trigger the crypto-map, but that's not happening.

UPDATE: I changed some things around to try to make this easier on myself. On the linux box I added a eth0:0 of 192.168.10.1 and turned on NAT. I realized if I was passing traffic there something had to do the natting.

I read that the ip next-hop falls back to the default route when there is no specific route. So I added:

reverse-route static

Now it shows a route of:

S    192.168.10.0/24 [1/0] via 2.2.2.2

Access lists were changed to:

access-list 154 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 155 permit tcp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

I changed the route map to point next hop to 192.168.10.1. Still web traffic refuses to go through.

My NAT reads like this:

ip access-list extended NAT
deny   ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any

SO if the route-map was actually adding in the next hop of 192.168.10.1 then it should NOT be natted and be pushed over the VPN. Not happening. It goes straight out to the internet.

What am I missing here. ?

UPDATE: Current config. Tunnels are up. Can ping between subnets. www traffic is still going out local gateway. No www traffic at all if without removing the nat line for www traffic. ( I'm saying www traffic is not passing through the vpn because the encap is staying at 0 )

ersion 12.4
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname Hex-2811
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T5.bin
boot-end-marker
!
no logging buffered
aaa new-model
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
!
no ip bootp server
ip domain name hexhome.int
ip name-server 192.168.30.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
!
voice-card 0
 no dspfarm
!         
archive
 log config
  hidekeys
!
!
ip ssh version 2
! 
!
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key ******* address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address 160
!
!
interface FastEthernet0/0
 description Internal 192 Network
 ip address 192.168.30.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 100
!
interface FastEthernet0/1
 ip address dhcp
 ip access-group 112 in
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map IOFVPN
!
ip forward-protocol nd
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.30.45 3001
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.30.60 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.30.20 21 interface FastEthernet0/1 21
ip nat inside source route-map POLICY-NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.30.13 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.13 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static udp 192.168.30.12 32400 interface FastEthernet0/1 32400
ip nat inside source static udp 192.168.30.25 44394 interface FastEthernet0/1 44394
ip nat inside source static tcp 192.168.30.105 5901 interface FastEthernet0/1 5901
ip nat inside source static tcp 192.168.30.200 9443 interface FastEthernet0/1 9443
!
ip access-list extended NAT
 deny   tcp 192.168.30.0 0.0.0.255 any eq www
 deny   ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip any any
!
access-list 112 remark Explicit accept and deny
access-list 112 deny   udp any any eq snmp
access-list 112 deny   ip host 50.17.67.227 any
access-list 112 deny   ip host 1.93.27.33 any
access-list 112 deny   tcp any any eq telnet
access-list 112 permit tcp host 37.235.50.117 any eq ftp log
access-list 112 permit tcp host 5.255.80.84 any eq ftp log
access-list 112 permit tcp host 66.228.62.226 any eq ftp log
access-list 112 permit tcp host 72.25.5.126 any eq 5901 log
access-list 112 permit tcp host 72.25.5.126 any eq 11111 log
access-list 112 permit tcp host 72.25.5.126 any eq 8000 log
access-list 112 deny   tcp any any eq ftp log
access-list 112 deny   tcp any any eq 3389 log
access-list 112 deny   tcp any any eq 5901 log
access-list 112 deny   tcp any any eq 11111
access-list 112 deny   tcp any any eq 8000
access-list 112 permit ip any any
access-list 153 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 154 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 155 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq 443
snmp-server community public RO
no cdp run
!
route-map VPN_WEB permit 1
 match ip address 153
 set ip next-hop 192.168.10.1
!
route-map POLICY-NAT permit 10
 match ip address NAT

Best Answer

I have to give credit to @ron for this answer.

The policy map was never going to work the way it was previously. @ron suggested a gre tunnel, then protect that with ipsec.

interface Tunnel0
ip address 10.10.10.2 255.255.255.252
ip mtu 1420
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
crypto map IOFVPN

and a route to point to the internal subnet on the remote side with a gateway of the remote side.

S    192.168.10.0/24 [1/0] via 10.10.10.1

I've never used gre before but I will now. Getting the tunnel up was pretty basic both on the cisco and linux ( openswan ) side. Once that was up and running I tested without ipsec.

On my fa0/0 interface, my internal I put:

ip policy route-map PROXY-REDIRECT

route-map proxy-redirect permit 100
 match ip address PROXY-REDIRECT
 set ip next-hop recursive 192.168.10.1

The matching ACL is:

ip access-list extended proxy-redirect
 deny   tcp host 192.168.30.13 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq 443
 permit tcp 192.168.30.0 0.0.0.255 any eq irc
 permit tcp 192.168.30.0 0.0.0.255 any eq 6667
 deny   tcp 192.168.30.0 0.0.0.255 any eq 5938
 deny   tcp any any
 deny   udp any any
 deny   ip any any

As soon as I added that my traffic started passing the way I wanted it. I'll note here that this ACL could be shrunk. I added the implicit deny's because I was having the odd traffic pass over the link.

Once was verified working then I just needed to wrap it in ipsec. Configuring the Cisco side was easy.

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key *********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
 mode transport
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address IPSEC-GRE-IOF

ip access-list extended IPSEC-GRE-IOF
 permit gre host 1.1.1.1 host 2.2.2.2

** Must use transport mode. It took me a bit to figure that one out.

Apply that crypto map to both f0/1 and tun0 and you have a tunnel.

The openswan side is what gave me trouble though this whole thing. Their config is a bit odd and it just took some getting used to.

At the end of the day all traffic that I want is peeled off and routed through an ipsec protected gre tunnel to a remote endpoint.

Enjoy.

Best Answer

Related Solutions

Cisco VPN IPsec – Phase 2 Unable to Come Up

Cisco NAT – Cisco Static NAT with Route-Maps

Related Topic