Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
3
Replies

VPN Connection

godlam
Level 1
Level 1

‎05-22-2003 12:07 AM - edited ‎03-02-2019 07:33 AM

There is the network

N1<--->R1-----------(ISP)-----------R2<--->N2

I have created the Tunnel with 3des to connect two sites. However the ping test just only 40% complete. Please advice. There is the code.

Building configuration...

Current configuration : 6279 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname aaaaaa

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login console none

aaa authentication ppp default group radius local

aaa authorization network default local

aaa session-id common

enable secret 5 dsfsdfsfsfertwetr

!

username xxxx password 0 xxxxx

memory-size iomem 25

ip subnet-zero

!

!

ip domain name cisco.com

ip inspect name fw_all ftp

ip inspect name fw_all rcmd

ip inspect name fw_all tftp

ip inspect name fw_all realaudio

ip inspect name fw_all streamworks

ip inspect name fw_all vdolive

ip inspect name fw_all cuseeme

ip inspect name fw_all h323

ip inspect name fw_all tcp

ip inspect name fw_all udp

ip inspect name fw_all sqlnet

ip inspect name fw_all http

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group PPTP_Win2K

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key <Key> address 203.x.x.1

!

!

crypto ipsec transform-set cm-transformset-1 ah-sha-hmac esp-3des

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 203.x.x.1

set transform-set cm-transformset-1

match address 100

!

!

!

!

interface Tunnel0

ip address 10.0.0.2 255.255.255.0

tunnel source Dialer1

tunnel destination 203.x.x.1

crypto map cm-cryptomap

!

interface Ethernet0

no ip address

no ip route-cache

no ip mroute-cache

no keepalive

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

crypto map cm-cryptomap

!

interface FastEthernet0

ip address 10.3.0.254 255.255.255.0

ip mtu 1454

ip nat inside

ip tcp adjust-mss 1414

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0

ip access-group 120 out

ip nat inside

peer default ip address pool ippool

ppp encrypt mppe 40

ppp authentication ms-chap

!

interface Dialer0

no ip address

!

interface Dialer1

description connected to Internet

mtu 1492

ip address 202.x.x.1 255.255.255.252

ip access-group 110 in

no ip unreachables

ip nat outside

ip inspect fw_all in

encapsulation ppp

dialer pool 1

dialer-group 2

no cdp enable

<ppp authentication>

crypto map cm-cryptomap

!

ip local pool ippool 192.168.3.10 192.168.3.254

ip nat inside source list NAT interface Dialer1 overload

ip nat inside source static tcp 10.3.0.1 80 202.x.x.1 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.2.0.0 255.255.255.0 Dialer1

ip route 10.2.0.0 255.255.255.0 Tunnel0

ip route 10.2.0.0 255.255.255.0 203.198.196.50

ip route 192.168.3.0 255.255.255.0 FastEthernet0

no ip http server

!

!

ip access-list extended NAT

permit ip 192.168.3.0 0.0.0.255 any

permit ip 10.3.0.0 0.0.0.255 any

!

access-list 100 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 100 permit gre host 202.x.x.1 host 203.x.x.1

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any eq www any

access-list 110 permit tcp any eq 443 any

access-list 110 permit tcp any any eq ftp-data

access-list 110 permit tcp any any eq ftp

access-list 110 permit tcp any any eq 2021

access-list 110 permit tcp any eq ftp-data any

access-list 110 permit tcp any eq ftp any

access-list 110 permit tcp any eq 2021 any

access-list 110 permit tcp any any eq pop3

access-list 110 permit tcp any eq pop3 any

access-list 110 permit tcp any any eq smtp

access-list 110 permit tcp any eq smtp any

access-list 110 permit tcp any any eq telnet

access-list 110 permit tcp any eq telnet any

access-list 110 permit tcp any any eq 143

access-list 110 permit tcp any eq 143 any

access-list 110 permit tcp any any eq 3389

access-list 110 permit tcp any any eq 1723

access-list 110 permit tcp any eq 1723 any

access-list 110 deny tcp any any

access-list 110 permit esp any any

access-list 110 permit ahp any any

access-list 110 permit udp any eq isakmp any eq isakmp

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit udp any any eq ntp

access-list 110 permit udp any eq ntp any

access-list 110 permit udp any any eq 1701

access-list 110 deny udp any any

access-list 110 permit icmp any any

access-list 110 permit ip any any

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any eq www any

access-list 120 permit tcp 10.3.0.0 0.0.255.255 192.168.3.0 0.0.0.255

access-list 120 permit tcp 192.168.3.0 0.0.0.255 10.3.0.0 0.0.255.255

access-list 120 permit tcp 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 permit tcp any any eq ftp

access-list 120 permit tcp any any eq ftp-data

access-list 120 permit tcp any eq ftp any

access-list 120 permit tcp any eq ftp-data any

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any eq 443 any

access-list 120 deny tcp any any

access-list 120 permit udp any any eq domain

access-list 120 permit udp any eq domain any

access-list 120 permit udp any any eq ntp

access-list 120 permit udp any eq ntp any

access-list 120 deny udp any any

access-list 120 permit icmp any any

access-list 120 permit ip any any

dialer-list 2 protocol ip permit

!

radius-server host 10.x.x.1 auth-port xxxx acct-port xxxx

radius-server retransmit 3

radius-server key <Key>

radius-server authorization permit missing Service-Type

!

line con 0

login authentication console

line aux 0

line vty 0 4

password <password>

!

no scheduler allocate

end

Is it only one way to connect two sites with tunnel? Any comments.

Thanks

Godwin

Labels:
0 Helpful
3 Replies 3

mnaveen
Level 1
Level 1

‎05-22-2003 12:32 AM

Can you just add the following access-list and ping it again ?

access-list 100 permit icmp host 202.x.x.1 host 203.x.x.1

If you traffic sent from N1 to N2 is getting encrypted, then

your IPSec connection is Ok. It could be due to network congestion

or packet getting dropped along the way.

0 Helpful

godlam
Level 1
Level 1
In response to mnaveen

‎05-22-2003 12:44 AM

Ok, I have added the ACL 100 for icmp but the result is the same. The result is I can ping from R1 to R2 but I cannot ping from N1 to N2 even I added the ACL 100 for icmp. Do they have any way to create the VPN connection or Tunnel. I am using the C1710. Thanks

Godwin

0 Helpful

jerry.roy
Level 1
Level 1
In response to godlam

‎07-07-2003 08:37 AM

Aren't your routes outta wack?

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.2.0.0 255.255.255.0 Dialer1

ip route 10.2.0.0 255.255.255.0 Tunnel0

Use this one only:

ip route 0.0.0.0 0.0.0.0 Dialer1

You may also want to make your GRE peer interfaces to be your LAN interfaces.

0 Helpful
Customers Also Viewed These Support Documents