VPN Site to Site (Cisco), how do I use a Proxy Server at Site A in Site B?
Hi all!
I have configured this site to site VPN with Cisco routers (model 871) and IPSec. I have at Site A a proxy server (2 Network cards one conected to the local LAN the other to an external network) to allow it's users to access a private Web Site, their browser (Internet Explrer) has being configured to use the local IP adres of this Proxy server on port 8080. This VPN is working I can ping from site B the IP of the proxy but when trying to access the Private Web Site with a client of site B (same configurations) I dont get any response.
Does anybody have a suggestion?
I'm not a CISCO expert so I might forgot some settings!!
Current configuration : 5899 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$iNog$STHK/DVnG8MJ9bDgXxveW.
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1269590865
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1269590865
revocation-check none
rsakeypair TP-self-signed-1269590865
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name KCZ
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
multilink bundle-name authenticated
!
!
username xxxxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.28.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (GW ISP)
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool KCZ_POOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.28.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.28.1.0 0.0.0.255 172.28.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.28.1.0 0.0.0.255 172.28.0.0 0.0.0.255
access-list 101 permit ip 172.28.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
The Configuration at site A is the same but with mirror subnets when talking about the Access - lists
I also ran the command show control-plane host open-ports
to see wich ports are open and have noticed port 8080 is not on the list, how can I open it and with wich command line?
CISCO-KIE#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:23 172.28.0.34:57543 Telnet ESTABLIS
tcp *:443 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
Thx guys! all answers are welcome
Sebastian
I have configured this site to site VPN with Cisco routers (model 871) and IPSec. I have at Site A a proxy server (2 Network cards one conected to the local LAN the other to an external network) to allow it's users to access a private Web Site, their browser (Internet Explrer) has being configured to use the local IP adres of this Proxy server on port 8080. This VPN is working I can ping from site B the IP of the proxy but when trying to access the Private Web Site with a client of site B (same configurations) I dont get any response.
Does anybody have a suggestion?
I'm not a CISCO expert so I might forgot some settings!!
Current configuration : 5899 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$iNog$STHK/DVnG8MJ9bDgXxveW.
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1269590865
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1269590865
revocation-check none
rsakeypair TP-self-signed-1269590865
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name KCZ
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
multilink bundle-name authenticated
!
!
username xxxxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.28.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (GW ISP)
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool KCZ_POOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.28.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.28.1.0 0.0.0.255 172.28.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.28.1.0 0.0.0.255 172.28.0.0 0.0.0.255
access-list 101 permit ip 172.28.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
The Configuration at site A is the same but with mirror subnets when talking about the Access - lists
I also ran the command show control-plane host open-ports
to see wich ports are open and have noticed port 8080 is not on the list, how can I open it and with wich command line?
CISCO-KIE#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:23 172.28.0.34:57543 Telnet ESTABLIS
tcp *:443 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
Thx guys! all answers are welcome
Sebastian