VPN Working however some Apps Not from Remote

Unanswered Question
Mar 1st, 2007

I posted here and got such a good response to my last issue - I hope I am not being a pest.

** Main Location no issues out to internet

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map bhsn 10 ipsec-isakmp

description VPN to PARC

set peer X.X.X.X

set transform-set myset

match address 100

crypto map bhsn 20 ipsec-isakmp

description VPN to Corneilia

set peer X.X.X.X

set transform-set myset

match address 102

crypto map bhsn 30 ipsec-isakmp

description VPN to OAK

set peer X.X.X.X

set transform-set myset

match address 103

crypto map bhsn 40 ipsec-isakmp

description VPN to Wells

set peer X.X.X.X

set transform-set myset

match address 104

!

!

!

interface FastEthernet0

description inside interface

interface FastEthernet4

description 5Mb WAN to Primelink

ip address X.X.X.X 255.255.255.128 secondary

ip address X.X.X.X 255.255.255.128

no ip unreachables

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

description Default Gateway fa0-fa3

ip address 2X.X.X.X 255.255.255.248 secondary

ip address 192.168.0.11 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1100

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nonat interface FastEthernet4 overload

!

logging trap debugging

access-list 100 permit ip any 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip any 192.168.6.0 0.0.0.255

access-list 103 permit ip any 192.168.7.0 0.0.0.255

access-list 104 permit ip any 192.168.5.0 0.0.0.255

access-list 105 permit tcp any any eq 9903

access-list 105 permit tcp any any eq 9902

access-list 105 permit tcp any any eq 9901

access-list 105 permit udp any any eq 9901

access-list 105 permit udp any any eq 9902

access-list 105 permit udp any any eq 9903

no cdp run

route-map nonat permit 10

match ip address 101

*********************

The Remote Routers however can't seem to get trace route, and the accounting program isn't working, POP3 Mail, and Updates. Here is the config for one of the Remotes.

interface FastEthernet4

description WAN connection to PrimeLink$FW_OUTSIDE$

ip address X.X.X.X 255.255.255.224

ip virtual-reassembly

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

description Default Gateway fa0-fa3$FW_INSIDE$

ip address 192.168.1.2 255.255.255.0

ip directed-broadcast

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit tcp any any eq 9901

access-list 101 permit tcp any any eq 9902

access-list 101 permit tcp any any eq 9903

access-list 101 permit udp any any eq 9901

access-list 101 permit udp any any eq 9902

access-list 101 permit udp any any eq 9903

no cdp run

**

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Sun, 03/04/2007 - 05:03

Hi,

You need to give us more information about the problem. Are you able to ping across the tunnel ?

Which ip address you are doing a traceroute to..? Where does it go ?

-Kanishka

cozyk1515 Mon, 03/05/2007 - 12:17

Here is more information:

Have 4 remote locations and 1 main.

**Currently Remotes can't access each other not even ping. IE from remote 1: 192.168.1.X can't ping remote 192.168.3.X.

All Remotes can access Main location. All internet traffic has to go through main router. 192.168.0.11

** POP MAIL can't be accessed from Remotes.

** Account Software can't be used at remotes. The accounting software is installed on local machines but access information from request2.paydata.com and request.paydata.com remotes can't trace to this fails at main router.

kaachary Mon, 03/05/2007 - 12:29

Hi,

Couldn't find 192.168.3.0 in the config you pasted. Assuiming, its one of the remote n/w , you are missing the deny statements in the access-list 101. e.g.

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

You have to put the similar statements for every remote router.

*Please rate if helped.

-Kanishka

cozyk1515 Mon, 03/05/2007 - 14:19

Thanks for that help however what about not being able to access certain items like the accounting software and Pop Mail which should all come from the main router? All internet traffic needs to go through the main router. I tried putting in the ports for the accounting software but that didn't work. Am I missing something to allow the accounting software?

kaachary Mon, 03/05/2007 - 15:49

Hi,

On the vlan in terface on Main router, the tcp mss is set to a very low value. Some applications require the packet size to be greater.

interface Vlan1

ip tcp adjust-mss 1100

exit

Try increasing the tcp mss size to see if there's any success.

-Kanishka

cozyk1515 Mon, 03/05/2007 - 18:26

bumped

ip tcp adjust-mss 1400

Still no luck if I bump any more can't get into database that is at main site from the remote.

database gives socket error. They said check ports which I have open on both ends.

Actions

This Discussion