×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco site-to-site VPN behind non cisco VDSL modem

Unanswered Question
Jan 31st, 2014
User Badges:

Hello,


I had a working site-to-site between a Cisco 1841 (ios 12.4) and a cisco 876 router (ios 12.3)...


The problem started when the 876 part upgrade to vdsl so I can't use the 876 to connect so now I'm behind an ISP's vDSL modem...

I follow the tempate at

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml


and have a site-to-site VPN connection, the only problem is while I can ping and access from 876 to 1841 , I can't ping or access (except for the 876) from 1841 to 876...



I would appreciate any help or hint...

Regards



EDIT: I don't know if helps but on 876 I'm using double NAT, didn't switch modem to bridge mode, but since it's a tunnel, I don't think it's an issue...

vlan2 taking an IP of 192.168.254.0 range and modem has 192.168.254.254.


here is the result of "sh ip route"


     10.0.0.0/24 is subnetted, 2 subnets

D       10.10.10.0 [90/2818560] via 10.0.0.2, 01:10:03, Tunnel0

C       10.0.0.0 is directly connected, Tunnel0

C    192.168.254.0/24 is directly connected, Vlan2

S    192.168.2.0/24 is directly connected, Tunnel0

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [254/0] via 192.168.254.254


Also when I issue "sh crypto isakmp sa" I get in src the local IP address

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

83.xxx.xxx.xxx  192.168.254.17  QM_IDLE           2004 ACTIVE



Here is the nat part of 876


!

crypto map vpnmap1 local-address Vlan2

!

interface Vlan1

description --- LAN ---

ip address 192.168.3.253 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface Vlan2

description --- WAN ---

ip address dhcp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

crypto map vpnmap1

!

ip route 192.168.2.0 255.255.255.0 Tunnel0

!

ip nat inside source route-map NAT interface Vlan2 overload

!

route-map NAT permit 10

match ip address PAT

match interface Vlan2

!

ip access-list extended PAT

deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.254.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!


Message was edited by: gerasimos_h

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jshojayi Thu, 02/06/2014 - 00:04
User Badges:

The 876 initiating would work since it's initiating. It sounds like you have the peer IP address on the 1841 pointing to the modem the 876 is plugged into. If the modem holds the public IP, it's not going to be able to terminate the VPN session from the 1841. Try enabling bridge mode so that the 876 gets a public IP and then re-initiate from the 1841.


Thank you.


Joe

memmas nanashi Thu, 02/06/2014 - 11:51
User Badges:

Thanks for the answer,


The 876 connects to 1841 to be accurate...

Also I'm trying to avoid bridging the modem, but now I realize that I'm not going to avoid it after all, even after I was so close to the solution...


Thanks

Actions

This Discussion

Related Content