05-22-2003 12:07 AM - edited 03-02-2019 07:33 AM
There is the network
N1<--->R1-----------(ISP)-----------R2<--->N2
I have created the Tunnel with 3des to connect two sites. However the ping test just only 40% complete. Please advice. There is the code.
Building configuration...
Current configuration : 6279 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname aaaaaa
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console none
aaa authentication ppp default group radius local
aaa authorization network default local
aaa session-id common
enable secret 5 dsfsdfsfsfertwetr
!
username xxxx password 0 xxxxx
memory-size iomem 25
ip subnet-zero
!
!
ip domain name cisco.com
ip inspect name fw_all ftp
ip inspect name fw_all rcmd
ip inspect name fw_all tftp
ip inspect name fw_all realaudio
ip inspect name fw_all streamworks
ip inspect name fw_all vdolive
ip inspect name fw_all cuseeme
ip inspect name fw_all h323
ip inspect name fw_all tcp
ip inspect name fw_all udp
ip inspect name fw_all sqlnet
ip inspect name fw_all http
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group PPTP_Win2K
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key <Key> address 203.x.x.1
!
!
crypto ipsec transform-set cm-transformset-1 ah-sha-hmac esp-3des
!
crypto map cm-cryptomap local-address Dialer1
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 203.x.x.1
set transform-set cm-transformset-1
match address 100
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
tunnel source Dialer1
tunnel destination 203.x.x.1
crypto map cm-cryptomap
!
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
crypto map cm-cryptomap
!
interface FastEthernet0
ip address 10.3.0.254 255.255.255.0
ip mtu 1454
ip nat inside
ip tcp adjust-mss 1414
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0
ip access-group 120 out
ip nat inside
peer default ip address pool ippool
ppp encrypt mppe 40
ppp authentication ms-chap
!
interface Dialer0
no ip address
!
interface Dialer1
description connected to Internet
mtu 1492
ip address 202.x.x.1 255.255.255.252
ip access-group 110 in
no ip unreachables
ip nat outside
ip inspect fw_all in
encapsulation ppp
dialer pool 1
dialer-group 2
no cdp enable
<ppp authentication>
crypto map cm-cryptomap
!
ip local pool ippool 192.168.3.10 192.168.3.254
ip nat inside source list NAT interface Dialer1 overload
ip nat inside source static tcp 10.3.0.1 80 202.x.x.1 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.2.0.0 255.255.255.0 Dialer1
ip route 10.2.0.0 255.255.255.0 Tunnel0
ip route 10.2.0.0 255.255.255.0 203.198.196.50
ip route 192.168.3.0 255.255.255.0 FastEthernet0
no ip http server
!
!
ip access-list extended NAT
permit ip 192.168.3.0 0.0.0.255 any
permit ip 10.3.0.0 0.0.0.255 any
!
access-list 100 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit gre host 202.x.x.1 host 203.x.x.1
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any eq www any
access-list 110 permit tcp any eq 443 any
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq 2021
access-list 110 permit tcp any eq ftp-data any
access-list 110 permit tcp any eq ftp any
access-list 110 permit tcp any eq 2021 any
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any eq pop3 any
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any eq smtp any
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any eq telnet any
access-list 110 permit tcp any any eq 143
access-list 110 permit tcp any eq 143 any
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq 1723
access-list 110 permit tcp any eq 1723 any
access-list 110 deny tcp any any
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 permit udp any eq isakmp any eq isakmp
access-list 110 permit udp any any eq domain
access-list 110 permit udp any eq domain any
access-list 110 permit udp any any eq ntp
access-list 110 permit udp any eq ntp any
access-list 110 permit udp any any eq 1701
access-list 110 deny udp any any
access-list 110 permit icmp any any
access-list 110 permit ip any any
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any eq www any
access-list 120 permit tcp 10.3.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 120 permit tcp 192.168.3.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 120 permit tcp 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any eq ftp any
access-list 120 permit tcp any eq ftp-data any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any eq 443 any
access-list 120 deny tcp any any
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit udp any any eq ntp
access-list 120 permit udp any eq ntp any
access-list 120 deny udp any any
access-list 120 permit icmp any any
access-list 120 permit ip any any
dialer-list 2 protocol ip permit
!
radius-server host 10.x.x.1 auth-port xxxx acct-port xxxx
radius-server retransmit 3
radius-server key <Key>
radius-server authorization permit missing Service-Type
!
line con 0
login authentication console
line aux 0
line vty 0 4
password <password>
!
no scheduler allocate
end
Is it only one way to connect two sites with tunnel? Any comments.
Thanks
Godwin
05-22-2003 12:32 AM
Can you just add the following access-list and ping it again ?
access-list 100 permit icmp host 202.x.x.1 host 203.x.x.1
If you traffic sent from N1 to N2 is getting encrypted, then
your IPSec connection is Ok. It could be due to network congestion
or packet getting dropped along the way.
05-22-2003 12:44 AM
Ok, I have added the ACL 100 for icmp but the result is the same. The result is I can ping from R1 to R2 but I cannot ping from N1 to N2 even I added the ACL 100 for icmp. Do they have any way to create the VPN connection or Tunnel. I am using the C1710. Thanks
Godwin
07-07-2003 08:37 AM
Aren't your routes outta wack?
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.2.0.0 255.255.255.0 Dialer1
ip route 10.2.0.0 255.255.255.0 Tunnel0
Use this one only:
ip route 0.0.0.0 0.0.0.0 Dialer1
You may also want to make your GRE peer interfaces to be your LAN interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide