08-18-2003 01:26 AM - edited 02-21-2020 12:43 PM
I have 2611XM on a Central site and 1721 on a Remote site. I tried establish VPN between these sites but I couldnt do that.
Here are config files:
Current configuration : 2706 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2611XM CENTRAL
!
enable secret xxxxx
enable password xxxx
!
username xxxx password 0 xxxxxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxx address REMOTE PUBLIC IP no-xauth
!
crypto isakmp client configuration group xxxxxx
key xxxxx
dns 192.168.1.100
domain cpn.vwg
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer REMOTE PUBLIC IP
set transform-set myset1
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address CENTRAL PUBLIC IP 255.255.255.252
ip nat outside
no ip mroute-cache
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.1.1.100 10.1.1.200
ip nat pool internet CENTRAL PUBLIC IP CENTRAL PUBLIC IP prefix-length 30
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP
ip route PRIVATE NETWORK 255.255.192.0 192.168.1.101
ip http server
!
!
ip access-list extended addr-pool
ip access-list extended dns-servers
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended tunnel-password
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
route-map nonat permit 10
match ip address 101
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxx
!
!
end
------------
Current configuration : 1393 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1721 REMOTE
!
logging queue-limit 100
enable password xxxx
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxx address CENTRAL PUBLIC IP no-xauth
!
!
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto map test 5 ipsec-isakmp
set peer CENTRAL PUBLIC IP
set transform-set myset1
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
half-duplex
!
interface FastEthernet0
ip address REMOTE ADDRESS IP 255.255.255.252
no ip proxy-arp
ip nat outside
speed auto
crypto map test
!
ip nat inside source route-map nonat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route PROVIDER PUBLIC NETWORK 255.255.255.252 FastEthernet0
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
line aux 0
line vty 0 4
password 7 xxxxxxx
login
!
no scheduler allocate
end
-----
I cannot ping each other but clients I accept successfully. Are these config correct? PLS HELP
08-18-2003 11:08 AM
Hi,
Your configurations look ok, are you sending an extended ping from the router or a continous ping from a PC behind either router?
Is there a firewall in between this two peers?
Let us know
Arthur
08-18-2003 12:39 PM
I sent ping from both routers, here are samples.
Cisco2611XM#ping
Protocol [ip]:
Target IP address: 192.168.0.1
Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
..........
Success rate is 0 percent (0/10)
Cisco2611XM#traceroute 192.168.0.1
Type escape sequence to abort.
Tracing the route to 192.168.0.1
1 PROVIDER PUBLIC IP1 ADDRESS 28 msec 28 msec 28 msec
2 PROVIDER PUBLIC IP2 ADDRESS 28 msec 32 msec 28 msec
3 PROVIDER PUBLIC IP1 ADDRESS 32 msec 24 msec 28 msec
4 PROVIDER PUBLIC IP2 ADDRESS 28 msec 28 msec 28 msec
5 PROVIDER PUBLIC IP1 ADDRESS 33 msec 32 msec 28 msec
....
30. the same as above
This is from Cisco 2611XM CENTRAL OFFICE
Rodoc#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
cisco1721#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 PROVIDER PUBLIC IP1 ADDRESS 0 msec 0 msec 0 msec
2 PROVIDER PUBLIC IP2 ADDRESS 36 msec 808 msec 212 msec
3 PROVIDER PUBLIC IP3 ADDRESS msec 32 msec 60 msec
4 PROVIDER PUBLIC IP4 ADDRESS 112 msec 700 msec 224 msec
5 PROVIDER PUBLIC IP5 ADDRESS 36 msec 100 msec 40 msec
6 * * *
This is from the Cisco 1721.
Provider are different.
I did not make any ping from local PC's on the LAN's, I've just tried from routers.
08-22-2003 06:55 AM
Hi
the trace is showing a loop from the 2600 to the 1700 router
1 PROVIDER PUBLIC IP1 ADDRESS 28 msec 28 msec 28 msec
2 PROVIDER PUBLIC IP2 ADDRESS 28 msec 32 msec 28 msec
3 PROVIDER PUBLIC IP1 ADDRESS 32 msec 24 msec 28 msec
4 PROVIDER PUBLIC IP2 ADDRESS 28 msec 28 msec 28 msec
5 PROVIDER PUBLIC IP1 ADDRESS 33 msec 32 msec 28 msec
the reason being the IP1 and IP2 back and forth....
Can you ping the outside interfaces at all? public to public?
08-27-2003 01:34 AM
I can ping from PC's on LAN 192.168.0.0 to PC's on LAN 192.168.1.0 but I cannot ping routers directly. I can ping public interfaces but cannot private interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: