cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
505
Views
0
Helpful
7
Replies

Frustrated: VPN With Cisco 1700 and VPN 3000 Concentrator

tdobbs1013
Level 1
Level 1

Hi. I have a Cisco 1700 router and a VPN 3000 conenctrator. I have managed to get site to site VPN tunnel betweekn these 2 devices working, however I am unable to ping anything from the VPN'ed network. On the VPN concentrator 3000 I can ping the 1700 router, however from the router I am unable to ping anything on the concentrators network.

Here is my config:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!--- This is how you define the preshared key on the router.

crypto isakmp key cisco123 address xxx.xxx.xxx.xxx

!

!

!--- This defines the Phase 2 policy.

!--- This example uses encryption = DES, hashing = md5, and mode = Tunnel.

crypto ipsec transform-set weak esp-3des esp-md5-hmac

!

!--- Define a crypto map to be applied on the interface.

crypto map vpn 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set weak

match address 100

!

!

!

!

interface Ethernet0

ip address 192.168.70.1 255.255.255.0

duplex full

no shut

!--- Apply the crypto map on the interface.

!--- If the crypto map is not applied, then the crypto engine is not active.

!

interface FastEthernet0

ip address xxx.xxx.xxx.xxx 255.255.255.0

duplex full

crypto map vpn

no shut

!

!

ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

!

!--- Access list used to define the interesting traffic for encryption.

access-list 100 permit ip 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255

!

!

!

end

Any help is greatly appreciated, I have been at this for a while, trying to add static routes, etc.. nothing seems to work for me.

7 Replies 7

ajagadee
Cisco Employee
Cisco Employee

Are you saying that can ping from the VPN3000 itself to the 192.168.70.0/24 network or from the LAN behind the VPN3000. If you are able to ping from the VPN3000 and not from the LAN, check the routing and default gateway on the LAN behind the VPN3000. Does the 192.168.10.0/24 know where to send the traffic to reach 192.168.70.0/24.

Also, is there any NAT configured on the router. If possible, do post the full configuration from the router and also outputs from "Show crypto isa sa" and "show crypto ipsec sa" and this should point us in the right direction.

Regards,

Arul

Thanks for the reply. As it stands right my Cisco 1700 router is configured internally as 192.168.70.1/255.255.255.0.

The VPN Concentrator is 192.168.10.39/255.255.255.0. I can ping 192.168.70.1 from the VPN Conenctrator, as well as from any machine on the .10 network.

Right now, my issue is I cannot ping anything on the .10 network from the Cisco 1700 router (192.168.70.1) including the VPN 3000.

Above is the full config from the router, here is the output of those commands:

show crypto isa sa:

(lists interfaces and then says)QM_IDLE 3 0

show crypto ipsec sa is attached.

Again, any help is appreciated. I have tried adding static routes on my 1700 router but the next hop should be 192.168.10.39 however I cant even ping it?

Based upon the "show crypto ipsec sa" outputs, the tunnel is built and passing traffic and you have limited IP Reachability. Meaning, you can ping the router's LAN IP.

What is default gateway on 192.168.70.0/24 network. Are the users pointing to the router as the default gateway or do you have another firewall or routing device in parallel with this 1700 that the users are routing traffic to.

Also, check for Access-list and NAT Configurations on the 1700. Can you post the router configuration, if possible.

Thanks,

Arul

Hi.

Well, I was looking at this from the wrong angle. For some reason I am unable to ping to remote LAN directly from my 1700 router, however when I put a device on .70 network it can access the remote networks fine.

So there seems to be an issue with me being able to ping the remote lans internal gateway, which is most likely an issue with that firewalls config.

Theoretically, other than the default I shouldnt need to add any static routes to the 1700 router should I? Perhaps on the remote firewalls, but not on the 1700?

Thanks for the update! You should be able to ping from the router as far as you source your traffic from .70.0/24 network.

From the router, do an extended ping and source the packet from the router LAN interface (70.1) and you should see responses.

Bottom line, any traffic with source 70.0/24 to 10.0/24 will be encrypted.

Let me know if it helps.

Regards,

Arul

Thanks for the reply. The extended ping worked, kinda feel silly now.

However, there is one issue left which kind of confuses me. If I am on a computer on the 192.168.70.0 network and do a traceroute to 192.168.10.1 this is the result:

1 1ms 2ms 1ms 192.168.70.1

2 * * * Request timed out

3 5ms 6ms 5ms 192.168.10.1

Trace complete.

The 2nd hop should be the VPN 3000 concentrator (192.168.10.39)? However it doesnt reply in the tracert, is this because the VPN 3000 ignores the request and looks up its ARP cache?

I can ping the VPN 3000 fine, just curious as to why this would happen?

Ok, now I am having trouble seeing any other internal networks beyond the 192.168.10.1 network.

.10 network has a VPN connection with a .40 network, a .60 network.

My .70 network has a VPN connection VIA a 1700 router to a VPN 3000 on the .10 network.

My .70 network can see the .10 network just fine. However, my .70 network cannot see the .40 or .60 network?

What do I need to add? I have added them to the the access-lists the same way .10 is added, and I tried adding a static route to no avail? I have done extended pings from both ends and get no result.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: