11-16-2007 02:21 PM - edited 02-21-2020 03:23 PM
Hi. I have a Cisco 1700 router and a VPN 3000 conenctrator. I have managed to get site to site VPN tunnel betweekn these 2 devices working, however I am unable to ping anything from the VPN'ed network. On the VPN concentrator 3000 I can ping the 1700 router, however from the router I am unable to ping anything on the concentrators network.
Here is my config:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!--- This is how you define the preshared key on the router.
crypto isakmp key cisco123 address xxx.xxx.xxx.xxx
!
!
!--- This defines the Phase 2 policy.
!--- This example uses encryption = DES, hashing = md5, and mode = Tunnel.
crypto ipsec transform-set weak esp-3des esp-md5-hmac
!
!--- Define a crypto map to be applied on the interface.
crypto map vpn 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set weak
match address 100
!
!
!
!
interface Ethernet0
ip address 192.168.70.1 255.255.255.0
duplex full
no shut
!--- Apply the crypto map on the interface.
!--- If the crypto map is not applied, then the crypto engine is not active.
!
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.255.0
duplex full
crypto map vpn
no shut
!
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
!--- Access list used to define the interesting traffic for encryption.
access-list 100 permit ip 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
end
Any help is greatly appreciated, I have been at this for a while, trying to add static routes, etc.. nothing seems to work for me.
11-18-2007 08:13 AM
Are you saying that can ping from the VPN3000 itself to the 192.168.70.0/24 network or from the LAN behind the VPN3000. If you are able to ping from the VPN3000 and not from the LAN, check the routing and default gateway on the LAN behind the VPN3000. Does the 192.168.10.0/24 know where to send the traffic to reach 192.168.70.0/24.
Also, is there any NAT configured on the router. If possible, do post the full configuration from the router and also outputs from "Show crypto isa sa" and "show crypto ipsec sa" and this should point us in the right direction.
Regards,
Arul
11-19-2007 06:57 AM
Thanks for the reply. As it stands right my Cisco 1700 router is configured internally as 192.168.70.1/255.255.255.0.
The VPN Concentrator is 192.168.10.39/255.255.255.0. I can ping 192.168.70.1 from the VPN Conenctrator, as well as from any machine on the .10 network.
Right now, my issue is I cannot ping anything on the .10 network from the Cisco 1700 router (192.168.70.1) including the VPN 3000.
Above is the full config from the router, here is the output of those commands:
show crypto isa sa:
(lists interfaces and then says)QM_IDLE 3 0
show crypto ipsec sa is attached.
Again, any help is appreciated. I have tried adding static routes on my 1700 router but the next hop should be 192.168.10.39 however I cant even ping it?
11-19-2007 10:46 AM
Based upon the "show crypto ipsec sa" outputs, the tunnel is built and passing traffic and you have limited IP Reachability. Meaning, you can ping the router's LAN IP.
What is default gateway on 192.168.70.0/24 network. Are the users pointing to the router as the default gateway or do you have another firewall or routing device in parallel with this 1700 that the users are routing traffic to.
Also, check for Access-list and NAT Configurations on the 1700. Can you post the router configuration, if possible.
Thanks,
Arul
11-19-2007 12:29 PM
Hi.
Well, I was looking at this from the wrong angle. For some reason I am unable to ping to remote LAN directly from my 1700 router, however when I put a device on .70 network it can access the remote networks fine.
So there seems to be an issue with me being able to ping the remote lans internal gateway, which is most likely an issue with that firewalls config.
Theoretically, other than the default I shouldnt need to add any static routes to the 1700 router should I? Perhaps on the remote firewalls, but not on the 1700?
11-19-2007 01:33 PM
Thanks for the update! You should be able to ping from the router as far as you source your traffic from .70.0/24 network.
From the router, do an extended ping and source the packet from the router LAN interface (70.1) and you should see responses.
Bottom line, any traffic with source 70.0/24 to 10.0/24 will be encrypted.
Let me know if it helps.
Regards,
Arul
11-19-2007 02:18 PM
Thanks for the reply. The extended ping worked, kinda feel silly now.
However, there is one issue left which kind of confuses me. If I am on a computer on the 192.168.70.0 network and do a traceroute to 192.168.10.1 this is the result:
1 1ms 2ms 1ms 192.168.70.1
2 * * * Request timed out
3 5ms 6ms 5ms 192.168.10.1
Trace complete.
The 2nd hop should be the VPN 3000 concentrator (192.168.10.39)? However it doesnt reply in the tracert, is this because the VPN 3000 ignores the request and looks up its ARP cache?
I can ping the VPN 3000 fine, just curious as to why this would happen?
11-20-2007 02:35 PM
Ok, now I am having trouble seeing any other internal networks beyond the 192.168.10.1 network.
.10 network has a VPN connection with a .40 network, a .60 network.
My .70 network has a VPN connection VIA a 1700 router to a VPN 3000 on the .10 network.
My .70 network can see the .10 network just fine. However, my .70 network cannot see the .40 or .60 network?
What do I need to add? I have added them to the the access-lists the same way .10 is added, and I tried adding a static route to no avail? I have done extended pings from both ends and get no result.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: