851 Router and 871 VPN Issues Still

Answered Question
Feb 20th, 2007

Main Site

1- All connectivity to all fine - Internet- the Database- email Mail- Proxy - ETC

2- VPN Tunnel UP

From Remote Locations

1- VPN Tunnel UP and tests

1- Could ping to main location of 192.168.0.X (yes any IP Address)

2- Couldn't get out to the Internet (GOING TROUGH PROXY SERVER 192.168.0.3 even though I could ping it)

3- Could Log into Database but just hangs after the login screen. Can ping the Database address of 192.168.0.11 from this location fine but login hangs and doesn't respond

*MAIN CONFIG

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXX address X.X.X.X

crypto isakmp key XXX address X.X.X.X

crypto isakmp keepalive 20 5

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map bhsn 10 ipsec-isakmp

description VPN to PARC

set peer X.X.X.X

set transform-set myset

match address 100

crypto map bhsn 20 ipsec-isakmp

description VPN to Corneilia

set peer X.X.X.X

set transform-set myset

match address 102

crypto map bhsn 30 ipsec-isakmp

description VPN to OAK

set peer X.X.X.X

set transform-set myset

match address 103

crypto map bhsn 40 ipsec-isakmp

description VPN to Wells

set peer X.X.X.X

set transform-set myset

match address 104

interface FastEthernet4

WAN

ip address 216.x.x.x 255.255.255.128 secondary

ip address 216.x.x.x. 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

Gateway

ip address 216.X.X.X 255.255.255.248 secondary

ip address 192.168.0.11 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 216.x.x.x.

!

ip nat inside source route-map nonat interface FastEthernet4 overload

!

logging trap debugging

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

no cdp run

route-map nonat permit 10

match ip address 101

*REMOTE SITE

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXX address X.X.X.X

crypto isakmp keepalive 20 5

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map bhsn 10 ipsec-isakmp

description Connect to main BHSN

set peer X.X.X.X

set transform-set myset

match address 100

interface FastEthernet4

ip address 216.X.X.X 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

Gateway

ip address 192.168.1.2 255.255.255.0

ip directed-broadcast

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nonat interface FastEthernet4 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

route-map nonat permit 10

match ip address 101

Thanks

I have this problem too.
0 votes
Correct Answer by Kamal Malhotra about 9 years 7 months ago

No.

On the remote router, the access-list 100 should look like :

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

On the main router, the access-list 100 should look like :

access-list 100 permit ip any 192.168.1.0 0.0.0.255

HTH,

Regards,

Kamal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kamal Malhotra Tue, 02/20/2007 - 11:25

Hi,

Please run a continuous ping from a host behind the remote device using the command :

ping 192.168.0.3 -l -f 1500

You would probably get something like :

Packet nees to be fragmented but DF set.

Keep lowering the packet size by 100 until you start getting response. Once you get the response, note the packet size and configure the command on the VLAN1 interface of both routers :

ip tcp adjust-mss

HTH,

Please do rate if it helps,

Regards,

Kamal

cozyk1515 Tue, 02/20/2007 - 11:38

Already Tried that didn't work. Maybe I didn't add something earlier.

All internet Traffic from the remotes need to go to the main site and out. The Proxy server is at the main site with an IP of 192.168.0.5 - can ping it but nothing. Same as for the database. The DSL and Fiber connections at the remote are just for tunnel to main office.

Thanks

Gabrielle

Kamal Malhotra Tue, 02/20/2007 - 12:31

Hi Gabrielle,

Please try to issue the following command in the global mode :

cry ipsec df-bit clear

Could you try to access some website with the IP address rather than the name? This would confirm whether or not we are experiencing a DNS issue.

HTH,

Regards,

Kamal

cozyk1515 Tue, 02/20/2007 - 12:47

The IP didn't work. Web browsing I can handle later if I need to - it is more the database that I am worried about. I open the database and Login and it just doesn't respond and hangs there.

kaachary Tue, 02/20/2007 - 15:44

Hi,

Try adding a WINS on the local side. The WINS ip address would be of remote WINS.

If you do not have a WINS at remote site, try adding the entry in lmhost file for the database server.

HTH,

-Kanishka

cozyk1515 Wed, 02/21/2007 - 05:42

Already eliminated the WINS both sides? Thanks for the idea. I am pulling my hair out!

cozyk1515 Wed, 02/21/2007 - 05:53

What changes would I make to my current config to have all traffic go from the remote site through the main router? Like 100% encrp tunnel. I think that this is the way I should go.

Thanks

Gabrielle

Kamal Malhotra Wed, 02/21/2007 - 06:08

Hi Gabrielle,

For that you need to make sure that the remote router has 'any' as the destination in the crypto ACL and the local router has source as 'any' for the same tunnel.

HTH,

Regards,

Kamal

cozyk1515 Wed, 02/21/2007 - 10:26

crypto map bhsn 10 ipsec-isakmp

description VPN to PARC

set peer X.X.X.X

set transform-set myset

match address 100

IS where you are referring to? match address any???

Correct Answer
Kamal Malhotra Wed, 02/21/2007 - 10:49

No.

On the remote router, the access-list 100 should look like :

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

On the main router, the access-list 100 should look like :

access-list 100 permit ip any 192.168.1.0 0.0.0.255

HTH,

Regards,

Kamal

cozyk1515 Wed, 02/21/2007 - 10:55

Great- I won't be testing again until 2morrow but thank you for all your help - I will rate you high you have been great!

cozyk1515 Thu, 02/22/2007 - 11:04

Kamal

This below is from main router.

What about my access-list 101 and others on the remote- I understand about the access-list 100 do I change this to? access-list 101, 102, 103, 104. 101 is the non-nat and 102, 103 and 104 are the other remotes. I assume the other remotes will mimic the access list for 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

no cdp run

route-map nonat permit 10

match ip address 101

Thanks

G

Actions

This Discussion