01-06-2012 10:35 AM - edited 03-07-2019 04:12 AM
Hi all,
I am new to here and I have encounter a problem on setting up a site-to-site tunnel
The blue console cable is just to represent the tunnel that I have set up.
Actually, I tried to follow the guide of this webpage.
http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html
I can ping the tunnel interface and fast-ethernet interface of the other router.
However, I cannot ping to the PC. And I get the following error when using the simulation function
"The device does not have a service that accepts this frame. It drops the frame"
Does anyone know how to solve it?
And is it necessary to set up NAT and ACL for it?
Thx a lot
Regards,
Wayne
01-06-2012 10:53 AM
what type of end devices you are establishing vpn tunnel to and from, between two routers or between a router between cisco ASA firewall ?
Is this IPSec tunnel or GRE tunnel?
01-06-2012 11:56 AM
1.Between 2 routers
2.A GRE tunnel, but it seems i switch the mode of the tunnel in packet tracer
Actually i have made similar configuration in real devices but encountered the same problem
01-06-2012 12:35 PM
copy your both end of the tunnel on the forum.
01-06-2012 01:32 PM
Send us the configuration of the router's
Sent from Cisco Technical Support iPad App
01-06-2012 08:16 PM
oops sorry
Router3
interface Tunnel0
ip address 30.0.0.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 202.0.0.2
!
!
interface FastEthernet0/0
ip address 202.0.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 30.0.0.2
Router4
interface Tunnel0
ip address 30.0.0.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 202.0.0.1
!
!
interface FastEthernet0/0
ip address 202.0.0.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 172.16.1.0 255.255.255.0 30.0.0.1
Thanks
01-07-2012 05:30 AM
on both routers under interface Tunnel0, issue this command below.
interface Tunnel0
tunnel mode gre ip
let me know the result
01-07-2012 05:59 AM
Hi,
it won't change anything as it is the default mode for the tunnel interface and from the configs it wasn't changed but it wouldn't hurt to give it a try though as maybe the real configs is not a GRE tunnel anymore.
Regards.
Alain
01-07-2012 06:41 AM
well, for this line
"tunnel mode gre ip"
packet tracer does not even have this command
actually i have try this line in the device in real life
but still, the same problem occured
01-07-2012 06:43 AM
Hi,
Can you do a tracert from the left PC to right PC and can you change your static routes specifying the tun0 interface instead of next-hop.
Regards.
Alain
01-07-2012 08:06 AM
ya
In fact, to make it simpler, I have ping from the left router to the right PC
Router#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 * 31 msec 31 msec
Router#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
1 30.0.0.2 31 msec 31 msec 32 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
but i cant change it to tun0
because packet tracer hv this command
however, i have set this line
"ip route 172.16.1.0 255.255.255.0 tunnel 0 "
in the real device.
but still I cannot ping the 2 PCs.
01-07-2012 01:04 PM
Hi,
on real devices can you post following outputs:
-sh ip int br
- sh ip route
-sh int tun0
and do a ping from pc on the left to pc on the right and at same time enter these commands:
In config mode:
access-list 199 premit icmp any any
logging buffered debug
logging buffered 10000
no service timestamp debug
do debug ip packet detail 199
do u all
do sh log
and post output
Regards.
Alain
01-07-2012 01:59 PM
The configs look good to me. And the traceroute output shows that the tunnel is working.
Router#traceroute 192.168.1.2
Type escape sequence to abort.
Tracing the route to 192.168.1.2
1 30.0.0.2 31 msec 31 msec 32 msec
If you can not ping (or traceroute) to the other PC then I believe that it is either some issue in the setup of packet tracer or some issue (such as firewall) in the PC.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide