11-28-2008 08:01 AM - edited 02-21-2020 03:08 AM
Hello everybody!
I'm having some issues with a IPSec site-to-site connection between my home 827 and a remote Endian firewall.
The problem is: the connection is established and I can ping remote router's internal IP address but not any other machine in the network.
Also, I can only ping the remote router using my home computer. The Cisco 827 itself cannot ping any remote host.
Here's my config:
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco827
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 12
!
clock timezone GMT 0
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool local-lan-pool
network 192.168.1.0 255.255.255.0
domain-name local.lan
default-router 192.168.1.1
dns-server 83.174.45.162
!
!
no ip bootp server
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL icmp
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL sip
ip inspect name FIREWALL http
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL smtp
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL netshow
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
username admin privilege 15 secret SECRETPASSWORD
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key IPSECPASSWD address 62.28.79.6 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer 62.28.79.6
set transform-set tr-3des-sha
match address 110
!
bridge irb
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface BVI1
mac-address xxxx.xxxx.xxxx
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
crypto map cm-cryptomap
!
ip classless
ip route 0.0.0.0 0.0.0.0 77.54.224.1
no ip http server
no ip http secure-server
!
ip nat inside source list 105 interface BVI1 overload
!
access-list 2 remark SSH access
access-list 2 permit 62.28.79.6
access-list 2 permit 213.13.115.23
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 105 remark Traffic to NAT
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 remark Traffic to VPN
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
*********************************************
*** WARNING! ***
*** ***
*** unauthorized access prohibited! ***
*********************************************
^C
!
line con 0
line vty 0 4
access-class 2 in
exec-timeout 30 0
privilege level 15
login local
transport preferred ssh
transport input ssh
transport output none
!
scheduler max-task-time 5000
end
Kind Regards!
Solved! Go to Solution.
12-03-2008 07:43 AM
Rui
If your home network can ping the remote router and one remote machine, then I think that it shows that there is not a problem on your end. And since I do not see anything in your config that would allow access to some machine but not to others, then I believe that there may be some issue on the remote side. Is it possible that machines at the remote side that you are attempting to ping have firewalls running that do not accept ping? If there is a web server on the remote side, can you establish an HTTP connection? Or if there is an FTP server on the remote side can you establish an FTP connection?
HTH
Rick
12-02-2008 02:14 AM
Hi,
Wrong default gateway on the remote site or routing issue?
Jan
12-02-2008 10:33 AM
It is clear why the 827 can not ping anything at the remote (at least with standard ping). Here is the access list that identifies traffic for the VPN tunnel to the remote:
access-list 110 remark Traffic to VPN
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
this access list says that if the source address is not in 192.168.1.0/24 then it does not qualify. And a standard ping from the router would not source from 192.168.1.0. I suspect that if you try extended ping and specify the source as the router Ethernet that the ping would work.
I do not see anything in your config that explains why you can not ping anything remote other than the remote router inside interface. I suspect that the reason is something in the remote config.
Also I note that there is an access-group 101 configured on the BVI but there is no access list 101. It might be helpful to clean this up.
HTH
Rick
12-03-2008 02:37 AM
Hi Rick,
I've removed the access-group 101 in the BVI1 interface and tryed an extended ping with the source from the router's ethernet address and still no go.
As I said before, I can ping both remote router's ethernet address and one(?) remote machine address from my home network but that's all. Everything else is unreachable.
Kind Regards
Rui
12-03-2008 07:43 AM
Rui
If your home network can ping the remote router and one remote machine, then I think that it shows that there is not a problem on your end. And since I do not see anything in your config that would allow access to some machine but not to others, then I believe that there may be some issue on the remote side. Is it possible that machines at the remote side that you are attempting to ping have firewalls running that do not accept ping? If there is a web server on the remote side, can you establish an HTTP connection? Or if there is an FTP server on the remote side can you establish an FTP connection?
HTH
Rick
12-04-2008 03:57 AM
Hi Rick,
Thanks for your help!
The problem was on the Endian firewall side all the time.
I made a new IPSEC connection between the Cisco 827 and a D-Link DFL-210 and everything is working fine on both sides now.
Kind Regards,
Rui
12-04-2008 10:19 AM
Rui
I am glad that you got your problem resolved. It confirms my suggestion that the problem was on the remote device.
Thank you for posting back to the thread and indicating what the problem was and how you solved it. It makes the forum more useful when people can read about a problem and can read what the cause of the problem was and how the problem was solved.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: