Site to Site VPN

Unanswered Question
Jun 17th, 2010

Hello,

I have been trying to establish a Site to Site VPN connection within two offices and have been having some complications. I was wondering if anyone could look at my configurations and let me know what is wrong. Currently the VPN status is up but no traffic is going through. From a PC on site A able to ping the LAN interface on site B router but no further than that. From site B nothing goes through, the only thing i can do is pinging the site A's WAN IP.

I have attached the configuration for both routers with the result of some vpn tests.

Thank you,

E.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 05:15

Based off this order of operations it would appear that your nat translation is occuring before your crypto policy is checked and therefore the traffic doesnt match your encryption domain and it isn't sent through the tunnel.

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 222.222.69.81 name DefaultRouteToTDS-Router
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.58.1.0 0.0.0.255 10.31.0.0 0.0.7.255
!

NAT Overview

In this table, when NAT performs the global to local, or local to       global, translation is different in each flow.

Inside-to-Outside

Outside-to-Inside

  • If IPSec then check input access list

  • decryption - for CET (Cisco Encryption Technology) or IPSec

  • check input access list

  • check input rate limits

  • input accounting

  • redirect to web cache

  • policy routing

  • routing

  • NAT inside to outside (local to global                       translation)

  • crypto (check map and mark for encryption)

  • check output access list

  • inspect (Context-based Access Control                       (CBAC))

  • TCP intercept

  • encryption

  • Queueing

  • If IPSec then check input access list

  • decryption - for CET or IPSec

  • check input access list

  • check input rate limits

  • input accounting

  • redirect to web cache

  • NAT outside to inside (global to local                       translation)

  • policy routing

  • routing

  • crypto (check map and mark for encryption)

  • check output access list

  • inspect CBAC

  • TCP intercept

  • encryption

  • Queueing

-Todd

TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 05:34

Well you can disregard my first statement as you are calling a route-map that doesn't exist. So it shouldn't be doing any nating. I wonder if you removed that statement if you would have any more luck.

no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1  overload

Or if you can't remove that statement maybe you could create a router map SDM-RMAP_1  for your nats that excludes the traffic you want to encrypt using source and destination IPs and permit everything else.

Sorry for the multiple edits to the posts. I'm done.

-Todd

TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 06:16

Maybe you could try to add the following to see if it would help:

route-map SDM_RMAP_1 permit 10
match ip address DENY-VPN-TRAFFIC

ip access-list extended DENY-VPN-TRAFFIC
deny ip 10.58.1.0 0.0.0.255 10.31.0.0 0.0.7.255
permit ip any any

-Todd

eweber1234 Thu, 06/17/2010 - 08:24

Todd,

Thank you so very much for your effort to help me,

I have added the lines that you recommended and nothing seems to be changed. I have attached the updated sh running-config for both sites

Site A router:

AA_To_Ply#
AA_To_Ply#ping 10.58.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.58.1.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)  <---Intersting on Site A router I CAN NOT ping the Site B LAN interface but from a client on Site A I can !!!
AA_To_Ply#

Site A: from my desktop

Pinging 10.58.1.10 with 32 bytes of data:
Reply from 10.58.1.10: bytes=32 time=27ms TTL=254
Reply from 10.58.1.10: bytes=32 time=26ms TTL=254
Reply from 10.58.1.10: bytes=32 time=26ms TTL=254
Reply from 10.58.1.10: bytes=32 time=65ms TTL=254

Ping statistics for 10.58.1.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 65ms, Average = 36ms

U:\>tracert 10.58.1.10

Tracing route to 10.58.1.10 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  10.31.1.1 <---- Main router on Site A
  2     1 ms     1 ms     1 ms  10.31.1.4  <--- Internal Face of the VPN router on Site A
  3    61 ms    60 ms    68 ms  10.58.1.10  <--- Internal Face of the VPN router on Site B

Trace complete.

I can not do any of this on site B

Thank you,

Essi

Attachment: 
John Blakley Thu, 06/17/2010 - 08:38

Essi,

You'll need to mirror your config on Router A like you have for Router B. You don't have natting set up on Router A correctly.You have "ip nat inside" and "ip nat outside" set up on the appropriate interfaces, but you don't have a nat statement to tell the router what to translate.

Try:

ip nat inside source route-map SDM_RMAP_1 interface fa0/1 overload

HTH,
John
TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 09:14

The reason why you can't ping from router A is that you are not sourcing any traffic that matches your encryption domain. Try pinging and sourcing fa0/0.

-Todd

TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 09:16

Now with regard to pinging from Site B to Site A can you do a traceroute from your PC in site Site B to site A. Also can you make sure that you don't have a windows firewall denying ICMP traffic.

Thanks.

-Todd

TODD RIEMENSCHNEIDER Thu, 06/17/2010 - 09:21

Also when you are pinging from router Ply-to-Main you may want to check your nat translations to see what if anything is getting translated. Your config looks ok to me, so I'm leaning more to the nat being the issue or something on the hosts. There wouldnt be a firewall or anything between the routers and hosts would there?

legendvpn Wed, 12/21/2011 - 18:31

Hi there!

Looking for a reliable VPN service provider?

Let me give you a brief description of choosing a VPN service provider.

Qualities of a good VPn service provider:

How can you assure of having [url=https://www.legendvpn.com/]a good french VPN provider[/url]?

Things you must consider are

VPN service provider that offers Security and Exclusive Anonymity Alternate at a very low cost of 5€/month.

-On the other hand an idea of being the [url=https://www.legendvpn.com/]"Best"[/url] is practically differs and depends on your own needs.

-Several questions you might consider is that does the provider offers reasonable and stability of connection worldwide?

Answer: This [url=https://www.legendvpn.com/]LegendVPN[/url] don't store any logs and lets you assure that its a trustworthy and established VPN service provider.

Actions

This Discussion