02-20-2007 05:55 AM - edited 02-21-2020 02:53 PM
Main Site
1- All connectivity to all fine - Internet- the Database- email Mail- Proxy - ETC
2- VPN Tunnel UP
From Remote Locations
1- VPN Tunnel UP and tests
1- Could ping to main location of 192.168.0.X (yes any IP Address)
2- Couldn't get out to the Internet (GOING TROUGH PROXY SERVER 192.168.0.3 even though I could ping it)
3- Could Log into Database but just hangs after the login screen. Can ping the Database address of 192.168.0.11 from this location fine but login hangs and doesn't respond
*MAIN CONFIG
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
crypto isakmp key XXX address X.X.X.X
crypto isakmp keepalive 20 5
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map bhsn 10 ipsec-isakmp
description VPN to PARC
set peer X.X.X.X
set transform-set myset
match address 100
crypto map bhsn 20 ipsec-isakmp
description VPN to Corneilia
set peer X.X.X.X
set transform-set myset
match address 102
crypto map bhsn 30 ipsec-isakmp
description VPN to OAK
set peer X.X.X.X
set transform-set myset
match address 103
crypto map bhsn 40 ipsec-isakmp
description VPN to Wells
set peer X.X.X.X
set transform-set myset
match address 104
interface FastEthernet4
WAN
ip address 216.x.x.x 255.255.255.128 secondary
ip address 216.x.x.x. 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
Gateway
ip address 216.X.X.X 255.255.255.248 secondary
ip address 192.168.0.11 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 216.x.x.x.
!
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 101
*REMOTE SITE
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map bhsn 10 ipsec-isakmp
description Connect to main BHSN
set peer X.X.X.X
set transform-set myset
match address 100
interface FastEthernet4
ip address 216.X.X.X 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
Gateway
ip address 192.168.1.2 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 101
Thanks
Solved! Go to Solution.
02-21-2007 10:49 AM
No.
On the remote router, the access-list 100 should look like :
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
On the main router, the access-list 100 should look like :
access-list 100 permit ip any 192.168.1.0 0.0.0.255
HTH,
Regards,
Kamal
02-20-2007 11:25 AM
Hi,
Please run a continuous ping from a host behind the remote device using the command :
ping 192.168.0.3 -l -f 1500
You would probably get something like :
Packet nees to be fragmented but DF set.
Keep lowering the packet size by 100 until you start getting response. Once you get the response, note the packet size and configure the command on the VLAN1 interface of both routers :
ip tcp adjust-mss
HTH,
Please do rate if it helps,
Regards,
Kamal
02-20-2007 11:38 AM
Already Tried that didn't work. Maybe I didn't add something earlier.
All internet Traffic from the remotes need to go to the main site and out. The Proxy server is at the main site with an IP of 192.168.0.5 - can ping it but nothing. Same as for the database. The DSL and Fiber connections at the remote are just for tunnel to main office.
Thanks
Gabrielle
02-20-2007 12:31 PM
Hi Gabrielle,
Please try to issue the following command in the global mode :
cry ipsec df-bit clear
Could you try to access some website with the IP address rather than the name? This would confirm whether or not we are experiencing a DNS issue.
HTH,
Regards,
Kamal
02-20-2007 12:47 PM
The IP didn't work. Web browsing I can handle later if I need to - it is more the database that I am worried about. I open the database and Login and it just doesn't respond and hangs there.
02-20-2007 03:44 PM
Hi,
Try adding a WINS on the local side. The WINS ip address would be of remote WINS.
If you do not have a WINS at remote site, try adding the entry in lmhost file for the database server.
HTH,
-Kanishka
02-21-2007 05:42 AM
Already eliminated the WINS both sides? Thanks for the idea. I am pulling my hair out!
02-21-2007 05:53 AM
What changes would I make to my current config to have all traffic go from the remote site through the main router? Like 100% encrp tunnel. I think that this is the way I should go.
Thanks
Gabrielle
02-21-2007 06:08 AM
Hi Gabrielle,
For that you need to make sure that the remote router has 'any' as the destination in the crypto ACL and the local router has source as 'any' for the same tunnel.
HTH,
Regards,
Kamal
02-21-2007 10:26 AM
crypto map bhsn 10 ipsec-isakmp
description VPN to PARC
set peer X.X.X.X
set transform-set myset
match address 100
IS where you are referring to? match address any???
02-21-2007 10:49 AM
No.
On the remote router, the access-list 100 should look like :
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
On the main router, the access-list 100 should look like :
access-list 100 permit ip any 192.168.1.0 0.0.0.255
HTH,
Regards,
Kamal
02-21-2007 10:55 AM
Great- I won't be testing again until 2morrow but thank you for all your help - I will rate you high you have been great!
02-22-2007 11:04 AM
Kamal
This below is from main router.
What about my access-list 101 and others on the remote- I understand about the access-list 100 do I change this to? access-list 101, 102, 103, 104. 101 is the non-nat and 102, 103 and 104 are the other remotes. I assume the other remotes will mimic the access list for 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 101
Thanks
G
02-23-2007 04:35 AM
TTT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: