VPN Configuration & SNMP

mtjones83 · ‎09-08-2010

Hi Everyone,

I have a 1700 router configured for a stie-to-site VPN with a 2600 at our head office. The VPN works pefrectly and I've had no problems with conenctivity since the remote router has been installed.

I've been trying to configure our SNMP software to poll the router and can detect the interfaces (ATM, FA eg) but do not recieve any SNMP responses after that.

I tihnk it could have something to do with the fact it seems any traffic from the routers own interface doens;t seem to get routed down the VPN tunnel... for example a PC conencted to the switch/router has fully connectivity across the VPN and can ping all subnets at our head office, but if I telnet to the routers internal IP (10.200.11.1) and try and ping a device at head office from the command promt it fails every time.

Any ideas? Remote 1700 config below...

Thanks,

Mike

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Building configuration...

Current configuration : 4053 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname stoke_wan_rtr1
!
!
username admin privilege 15 password ******

memory-size iomem 25
clock timezone London 0
clock summer-time London recurring last Sun Mar 1:00 last Sun Oct 1:00
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip domain name emr.com
ip name-server 10.206.188.31
ip name-server 10.206.188.32
ip name-server 212.104.130.9
ip name-server 212.104.130.65
ip dhcp excluded-address 10.200.11.151 10.200.11.254
ip dhcp excluded-address 10.200.11.1 10.200.11.99
!
ip dhcp pool local
   import all
   network 10.200.11.0 255.255.255.0
   dns-server 10.206.188.31 10.206.188.32
   domain-name emr.com
   default-router 10.200.11.1
   netbios-name-server 10.206.188.31 10.206.188.32
   lease 7
!
ip audit notify log
ip audit po max-events 100
ip cef
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address *.*.*.*
!
!
crypto ipsec transform-set esp3des-sha esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map EMRCryptoMap 10 ipsec-isakmp
set peer *.*.*.* set transform-set esp3des-sha
match address WARRINGTON_TUNNEL
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
ip address 10.200.11.1 255.255.255.0
ip tcp adjust-mss 1378
speed auto
!
interface Dialer0
ip address *.*.*.* 255.255.255.0
ip access-group 101 in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ****

ppp chap password ****

crypto map EMRCryptoMap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
!
!
ip access-list extended WARRINGTON_TUNNEL
permit ip 10.200.11.0 0.0.0.255 10.200.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.206.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.10.0.0 0.0.255.255
!
access-list 101 remark External Int In Rule
access-list 101 permit ip 10.200.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.206.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq snmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
!
snmp-server community ****** RO
no snmp-server enable traps tty
banner motd ^CC

                                    \\\|///
                                   \\ ~ ~ //
                                   (/ @ @ /)
             +-------------------oOOo-(_)-oOOo------------------+
                 ##############################################
                 #          --- WARNING NOTICE ---            #
                 #                                            #
                 # THIS SYSTEM IS PRIVATE AND IS RESTRICTED #
                 #      TO AUTHORISED PERSONNEL ONLY.         #
                 #     UNAUTHORISED ACCESS CAN BE TRACED.     #
                 #   IF YOU ARE UNAUTHORISED DISCONNECT NOW! #
                 #                                            #
                 ##############################################

^C
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
!
no scheduler allocate
end

Jennifer Halim · ‎09-08-2010

Yes, the router will use the closest interface to the snmp server to route the traffic. For example, if the snmp server is on the other side of the VPN tunnel, the router will use the external interface to source the traffic as it will be the closest interface towards the snmp server.

In the crypto ACL, you would need to specify ACL sourcing from the router external interface ip address towards the remote LAN subnet (where the snmp server is), and mirror image ACL on the remote site.

Hope that helps.

mtjones83 · ‎09-08-2010

Thanks fro your reply halijenn.

So my current crypto acl looks like this...

ip access-list extended WARRINGTON_TUNNEL
permit ip 10.200.11.0 0.0.0.255 10.200.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.206.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.10.0.0 0.0.255.255

are you saying I need to add the following... ?

permit ip 88.202.219.161 255.255.255.255 10.200.0.0 0.0.255.255
permit ip 88.202.219.161 255.255.255.255 10.206.0.0 0.0.255.255
permit ip 88.202.219.161 255.255.255.255 10.10.0.0 0.0.255.255

88.202.219.161/32 being the router external ip...

Thanks,

Mike

Jennifer Halim · ‎09-08-2010

Absolutely correct, and the mirror image ACL on the remote site.

mtjones83 · ‎09-08-2010

Hi halijenn,

Ive done as you reccomended but no luck... still can't ping a device on the other side of the VPN and still no SNMPR response...

Remote 1700 ACL:

ip access-list extended WARRINGTON_TUNNEL
permit ip 10.200.11.0 0.0.0.255 10.200.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.206.0.0 0.0.255.255
permit ip 10.200.11.0 0.0.0.255 10.10.0.0 0.0.255.255
permit ip host 81.149.170.57 10.200.0.0 0.0.255.255
permit ip host 81.149.170.57 10.206.0.0 0.0.255.255
permit ip host 81.149.170.57 10.10.0.0 0.0.255.255

Head Office 2600 ACL:

ip access-list extended STOKE_TUNNEL
permit ip 10.200.0.0 0.0.255.255 10.200.11.0 0.0.0.255
permit ip 10.206.0.0 0.0.255.255 10.200.11.0 0.0.0.255
permit ip 10.10.0.0 0.0.255.255 10.200.11.0 0.0.0.255
permit ip 10.200.0.0 0.0.255.255 host 81.149.170.57
permit ip 10.206.0.0 0.0.255.255 host 81.149.170.57
permit ip 10.10.0.0 0.0.255.255 host 81.149.170.57

Cheers,

Mike

Jennifer Halim · ‎09-08-2010

Have you also added the NAT exemption for the new crypto ACL line on your HQ 2600 router?

Please share the output of "sh cry ipsec sa" from both routers after the above changes if it still doesn't work, and also the 2600 config.

mtjones83 · ‎09-09-2010

Thank you.

I've atatched a sh run and a sh cry ipsec sa from both routers.

We are not using NAT - if I'm honest the configs were originally written by an ex-colleague, not my self.

Cheers,

Mike

Jennifer Halim · ‎09-09-2010

ACL 101 on the 1700 router needs to allow the SNMP traffic from your SNMP server towards the router external interface.

If it still doesn't work, I would suggest that you try removing ACL 101 from both the 1700 external interface and 2600 external interface. Test again if it works or not. If it works, try adding ACL 101 back to 1 router, and check which ACL is causing the issue.