Cisco 871 VPN Tunnel up, can ping across from clients not routers

Unanswered Question
Jun 9th, 2010
User Badges:

I confess I'm really new to Cisco and using IOS. I've managed to piece together the following configuration for my two Cisco 871's. The tunnel is coming up, and my clients are operating correctly across the tunnel. I have two issues that I just can not figure out.


First Issue:

     I can ping across the tunnel from the clients on either end of the tunnel, but I can't ping across the tunnel from the routers themselves. Actually I can if I use the command Ping 192.168.9.1 source vlan1. But I can't seem to get a route configured to do this without the source command.


Second Issue:

     I want to set up the Router (192.168.9.1) as a DNS forwarder. So that my clients on that end of the tunnel use the router as the dns server. The router should then just forward all dns queries to an IP address on the opposite side of the tunnel.


Any help would be appreciated. I've been working on these two issues for several days, and am just struggling with getting it working.


If it helps. I don't really need NAT on either router. The clients on either side will use a different router for itnernet access. The only traffic going to either router will be utilized only for the VPN tunnel.


Here is the configuration for one of my routers. The router on the other side of the tunnel is just the mirror of this.


Current configuration : 2630 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1619Cisco
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip domain name MyDomain.Org
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key <Hidden> address 999.999.999.196
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map GARG-VPN 10 ipsec-isakmp
set peer 999.999.999.196
set transform-set SET1
set pfs group2
match address VPN-ACL
!
archive
log config
  hidekeys
!
!
no ip ftp passive
ip ssh rsa keypair-name 1619Cisco.MyDomain.Org
ip ssh version 2
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 999.999.999.195 255.255.255.248
ip access-group IPFW-ACL in
ip inspect IPFW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map GARG-VPN
!
interface Vlan1
ip address 192.168.1.157 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 999.999.999.198
!
no ip http server
no ip http secure-server
ip nat inside source route-map NO-NAT interface FastEthernet4 overload
!
ip access-list extended IPFW-ACL
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
permit tcp any any eq 22
permit icmp any any echo
deny   ip any any
ip access-list extended NAT-ACL
deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NONAT-LAN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
!
!
!
route-map NONAT-LAN permit 10
match ip address NONAT-LAN-ACL
set interface Loopback0
!
route-map NO-NAT permit 10
match ip address NAT-ACL
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 06/09/2010 - 07:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kevin,


for the first issue :


we cannot see the IPFW object used for inspect and also how the crypto map GARG-VPN is configured


However, if you think about what you did this may be an expected behaviour:

your VPN is a LAN to LAN VPN that makes possible to communicate over the internet between the IP subnets of the two sites


if you can ping with source vlan1 the other router lan interface or clients you are fine


the crypto-map GARG-VPN if not using a GRE tunnel, and also if using a point to point GRE tunnel, has an ACL that says what should be encrypted and this again is from local LAN IP subnet to remote LAN IP subnet.


So you may be fine about this


second issue:

how the clients get their IP address? by using DHCP or manually?


Hope to help

Giuseppe

kwbrooks39 Wed, 06/09/2010 - 08:17
User Badges:

The IPFW is simply:

     ip inspect name IPFW tcp timeout 3600

     ip inspect name IPFW udp timeout 15


Nothing else to it.


GARG-VPN Cyrpto is:

     crypto map GARG-VPN 10 ipsec-isakmp
     set peer 999.999.999.196
     set transform-set SET1
     set pfs group2
     match address VPN-ACL


VPN-ACL:

     ip access-list extended VPN-ACL
     permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255


I can live with having to use the source vlan1 to ping across the routers. I was just a little perplexed by the behavior. I'm sure it has to do wtih my very limited understanding of how this stuff works.


As far as Issue 2.


The clients are currently using Static IP. If I configure their dns servers using a DNS  on the opposite side of the VPN, it works fine. So for example.

     Client IP 192.168.9.2

     Mask 255.255.255.0

     Client Gateway 192.168.9.1 (Router)

     Client DNS (192.168.1.254)


However I'd like to have the Cient DNS set to 192.168.9.1 and just have the router forward the queries over to 192.168.1.254.


This particular VPN location is very small (Only 2 clients). I don't plan on setting up a network dns server and just want to forward the requests over to an existing server on the opposite side of the VPN. For my other sites this will not be an issue because they will have local DNS servers on the same subnet.


Thanks for any help. And please understand that I really have very little knowledge of this stuff. My configuration thus far has just been put together from various websites and books. I understand some of it, but really very little about GRE or the Crypto features that are being utilized.


Thanks for you patience.

Giuseppe Larosa Wed, 06/09/2010 - 09:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kevin,

no problem this is a good place to learn.

Do not consider my notes about GRE they do not apply to your scenario.


From your configuration you use IPSec directly to protect LAN to LAN communication


ip access-list extended VPN-ACL
     permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255


So it is correct that you cannot ping remote LAN without specifying as source the internal LAN on the router, the clients are already on the correct IP subnets.



About configuring the router as DNS server you can have a look at the following:


http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_config_dns_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1063353


However, I can tell you that pointing to the DNS server in the central site it is very common, we use it for more then 100 remote sites with no problem.


So you may be fine with current configuration if everything works




Hope to help

Giuseppe

kwbrooks39 Thu, 06/10/2010 - 11:54
User Badges:

Thanks for the feedback.


I changed the configuration by removing the NAT stuff (It wasn't needed for my application) and updating the default route to point to Fa4 as shown. This allowed me to ping across the routers as I desired.


I'm still not able to get the DNS working. I did try the steps outlined in the address Giuslar specified.


My latest idea on the DNS was to set the Central Router up as a DNS Server. That portion works. From my clients on the Remote side I can set their DNS server to the Central Router and DNS works correctly. I then set up the Remote router to have it's name server set to the Central Router. However it will just no resolve anything. Everything comes back as 'Unrecognized host or address..."


I realize i'm just knit picking, but I really want the clients on the Remote Subnet to have their DNS Server entry pointing to an address on their subnet. I realize it's not necessary and in fact the queries are just being forwarded on to the Central Office. At this point, it's more of me just wanting to find the solution.


Thanks for the clues on the first problem. Anyone have some tips on how I can troubleshoot the DNS problem? It's only occuring on the remote side of the VPN and only when the DNS Queries come from the Remote Router. Do I need to do something to allow the DNS to go from Central Router to Remote router?


Update Config:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GarageCisco
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip domain name MyDomain.Org
ip name-server 192.168.1.157
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key address 999.999.999.195
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map 1619-VPN 10 ipsec-isakmp
set peer 999.999.999.195
set transform-set SET1
set pfs group2
match address VPN-ACL
!
archive
log config
  hidekeys
!
!
no ip ftp passive
ip ssh rsa keypair-name GarageCisco.MyDomain.Org
ip ssh version 2
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 999.999.999.196 255.255.255.248
ip access-group IPFW-ACL in
ip inspect IPFW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map 1619-VPN
!
interface Vlan1
ip address 192.168.9.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended IPFW-ACL
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
permit tcp any any eq 22
permit icmp any any echo
deny   ip any any
ip access-list extended VPN-ACL
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
!

!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

GarageCisco#

Actions

This Discussion

Related Content