cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2259
Views
0
Helpful
15
Replies

Site to Site IPsec up - can ping from router but not from PC on LAN

anthonyfear
Level 1
Level 1

Hi All

I've managed to establish a VPN with another cisco device and can successfully ping a pc on remote end but only if i use command like :

ping 3.0.3.242 source 192.168.6.254

if i try just a ping from router - no luck

if i try to ping from PC on lan - no luck

Config posted below:

Any ideas?

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Anthony

The problem you have is your crypto map acl is

access-list 114 permit ip 192.168.6.0 0.0.0.255 3.0.0.0 0.255.255.255

so when you use fa0/0 as the source then the address matches ie. 192.168.6.254 is out of the 192.168.6.0/24 network.

But any clients on the 192.168.6.0/24 network will be natted as they go through the router so they will not have a 192.168.6.x address anymore, they will be natted to the public address on the Dialer0 interface. So they will never match on acl 114.

This doesn't apply to packets sourced from fa0/0 ie. they don't get natted.

Jon

Hi Jon

Thanks for your comments - that makes sense but how do i get around it?

I guess I should amend the acl 114? But in what way?

Thanks

Anthony

You do need to amend acl 114. Thing is that your outside address that are you Natting the source addresses to is negotiated so you don't know what it will be, unless you always negotiate the same address.

So the acl would look like -

access-list 114 permit ip host 3.0.0.0 0.255.255.255

you could replace with "any" which would definitely work but it would be better if you could work out the Natted IP.

Jon

Hi Jon

My public is always the same so I changed the acl 114 to :

access-list 114 permit ip host [public IP] 3.0.0.0 0.255.255.255

but i can't ping from router or PC

even if i use source 192.168.6.254

so i deleted acl and tried

access-list 114 permit ip any 3.0.0.0 0.255.255.255

and that didn't work either?

show crypto isakmp

shows the vpn as inactive.

Any ideas?

Are you sure the VPN actually worked beforeyou amended acl 114 because if you use "any" then it should work.

Bear in mind that when you changed acl 114 to use your public IP you also need to amend the acl on the other end as well.

Could you post both configs ?

Jon

Hi jon

The other end is third-party so I can't post config.

I only know VPN works because I can get ping when I use source 192.168.6.254

I tried a debug ip packet 114 and this is the result:

PTIME#ping 3.0.3.242

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.0.3.242, timeout is 2 seconds:

*May 13 17:01:48.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:48.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:48.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, output crypto map check failed..

*May 13 17:01:50.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:50.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:50.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, output crypto map check failed..

*May 13 17:01:52.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:52.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:52.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, output crypto map check failed..

*May 13 17:01:54.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:54.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:54.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, output crypto map check failed..

*May 13 17:01:56.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:56.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:56.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, output crypto map check failed..

Success rate is 0 percent (0/5)

PTIME#

Which I believe shows that it's matching against acl 114 and trying to send? But what does 'output crypto map check failed' mean?

Does that help at all?

Anthony

Anthony

When the ping worked did you actually confirm that the VPN tunnel was up ie.

sh crypto ipsec sa

sh crypto isakmp sa

Could you debug the crypto stuff when you try to make a connection -

debug crypto ipsec

debug crypto isakmp

if this is a busy router best to do this out of hours.

Jon

Hi Jon

Thanks for your help with this - really appreciate it!

Enclosed are two debugs showing what happens when acl 114 is permit ip 192.168.6.0 etc and then again when it's changed to any.

You can see that VPN does not come up when set to permit ip any

Regards

Anthony

Anthony

Can you attach the debugs ?

Jon

opps - here they are

Anthony

Sincere apologies but i have mislead you. Just read the config again and noticed something i missed the first time -

ip nat inside source route-map VPN_1 interface Dialer0 overload

!

ip access-list extended NAT

deny ip 192.168.6.0 0.0.0.255 3.0.0.0 0.255.255.255

permit ip 192.168.6.0 0.0.0.255 any

!

Basically this bit of your config ie. the route-map says not to NAT 192.168.6.0/24 if the destination is 3.0.0.0/8 so your acl 114 is fine.

Really sorry about that - should have looked at the config a bit closer.

So can you run debug for crypto ipsec sa and crypto isakmp sa and then try to connect from a 192.168.6.x client ie not 192.168.6.254.

Could you also let me know the 192.168.6.x address you are using and what you are testing with ie. ping/http etc.

Jon

Hi Jon

Hey no problem - glad we know that was correct anyway!

I've changed acl 114 back to permit ip 192.168.6.x etc.

turned on debug and tried to ping both from router and then from client 192.168.6.1

debugs attached.

Regards

Anthony

Anthony

Well it looks like the tunnel is coming up. Can you do the following

1) Ping from an internal client - NOT 192.168.6.1

2) After you have done the ping can you post the output of (from the router)

sh crypto isakmp sa

sh crypto ipsec sa

Note, before you ping can you make sure the above 2 commands come back with nothing on the router ie. there is no tunnel already established.

Finally are you sure the 3rd party is allowing ping through ?

Jon

Hi Jon

192.168.6.1 is an internal client - it's one of the servers. Any reason why it shouldn't work?

If I use 'ping 3.0.3.242 source 192.168.6.254'it will ping successfully so I presume they are allowing ping through at remote end.

To clear the tunnel should I use 'clear cryto isakmp sa'

Regards

Anthony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: