05-03-2007 10:24 PM - edited 02-21-2020 03:01 PM
Using SDM (V2.34) i create GRE tunnel between cisco routers (2811 and 2801). Tunnel is up, and Test connection (SDM tool) write that tunnel is ok. Ping of sites on other side is ok. But any application (netbios, rdp, www) not work.
Please, say, where i mistake.
Configurations
On one side (Cisco router 2811)
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY1 address X.X.X.189
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to X.X.X.189
set peer X.X.X.189
set transform-set ESP-3DES-SHA
match address 110
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/0
ip mtu 1420
ip virtual-reassembly
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination X.X.X.189
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.0.245 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Internet$ETH-WAN$$FW_OUTSIDE$
ip address Y.Y.Y.101 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
!
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.102
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 remark ACL for NAT
access-list 101 deny gre host Y.Y.Y.101 host X.X.X.189
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
access-list 110 remark SDM_ACL Category=4
access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189
!
On other side (Cisco router 2801)
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY1 address Y.Y.Y.210
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Y.Y.Y.210
set peer Y.Y.Y.210
set transform-set ESP-3DES-SHA
match address 110
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/0
ip mtu 1420
ip virtual-reassembly
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination Y.Y.Y.210
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.245 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Internet$ETH-WAN$$FW_OUTSIDE$
ip address X.X.X.189 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
!
ip route 0.0.0.0 0.0.0.0 X.X.X.189
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 remark ACL for NAT
access-list 101 deny gre host X.X.X.190 host Y.Y.Y.210
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 110 remark SDM_ACL Category=4
access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189
!
05-04-2007 01:41 PM
Try configuring 'ip tcp adjust-mss 1420' under the int f0/0 and test the connectivity.
HTH
Sundar
05-07-2007 06:58 PM
Thank for you answer. This is resolve my problem.
If it possible i have question.
When i try solve problem i find example
http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a0080189153.shtml
This example different from my config in ACL that apply on crypto map (in my config access-list 110).
In my config ACL permit gre between internet interfaces of router
access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189
In example ACL permit all ip between private subnets
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
When i modify ACL and all work correct.
My question is.
What config is more correct? (where i can read about this)
Why in first config it not work without "'ip tcp adjust-mss 1420' under the int f0/0", and why with modified ACL it work without this command.
Thank for you consideration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide