Re: IPSEC tunnel oke but no data traffic exept ping

telemos · ‎07-07-2002

I can not find a solution for this problem, the IPSEC tunnel is working,

i can ping from one end of the lan to the other but i cannot start telnet

sessions or terminal server sessions or make a connection with a

server.

I am using two Cisco 826 and IOS 12.1

paqiu · ‎07-07-2002

Please check the access-list applied on both router's outside interface.

When the traffic decrypted, it will check the access-list again, if you have not permit telnet or ip traffic from remote inside network to local inside network and only allowed the ICMP traffic, you can ping but can not do anything else.

If it is still not working, please upload both router's config, let us have a check.

Best Regards,

telemos · ‎07-08-2002

First of all thanks for the fast respons,

Hereby the configurations, both access-lists are the same.

We think that we have a problem with the MTU but can not adjust it.

Please check the configurations

thank in advance

Best Regards,

Patrick van Gameren

rtr-adam#sh run

Building configuration...

Current configuration:

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname rtr-adam

!

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

enable secret cisco

enable password cisco

!

username vg password cisco

username luuk password cisco

!

ip subnet-zero

ip host rtr-denhaag-wan 213.84.51.14

ip host rtr-medemblik-wan 80.242.226.70

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Firewall-1 tcp

ip inspect name Firewall-1 udp

ip inspect name Firewall-1 cuseeme

ip inspect name Firewall-1 ftp

ip inspect name Firewall-1 h323

ip inspect name Firewall-1 rcmd

ip inspect name Firewall-1 realaudio

ip inspect name Firewall-1 smtp

ip inspect name Firewall-1 streamworks

ip inspect name Firewall-1 vdolive

ip inspect name Firewall-1 sqlnet

ip inspect name Firewall-1 tftp

vpdn enable

no vpdn logging

!

async-bootp dns-server 194.109.6.66

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key EenHeleLeukeKey address 213.84.51.14

crypto isakmp key EenHeleLeukeKey address 80.242.226.70

!

crypto ipsec transform-set tunnel-set esp-3des esp-md5-hmac

!

crypto map telemostunnel 10 ipsec-isakmp

set peer 213.84.51.14

set transform-set tunnel-set

match address 102

crypto map telemostunnel 20 ipsec-isakmp

set peer 80.242.226.70

set transform-set tunnel-set

match address 103

!

interface Ethernet0

description connected to EthernetLAN-Amsterdam

ip address 10.10.11.5 255.255.255.0

ip nat inside

ip rip send version 2

ip rip receive version 2

ip inspect Firewall-1 in

no ip route-cache

no ip mroute-cache

!

interface ATM0

no ip address

ip nat outside

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username maison@xs4all-fast-adsl password 7 101F5F4E54393859

crypto map telemostunnel

!

router rip

version 2

network 10.0.0.0

network 192.168.3.0

!

ip nat inside source list 122 interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.4.0 255.255.255.0 10.10.11.253

ip http server

!

access-list 6 permit 80.242.226.70

access-list 6 permit 212.129.148.153

access-list 6 permit 213.84.51.14

access-list 102 permit ip 10.10.11.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 10.10.11.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 122 deny ip 10.10.11.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 122 deny ip 10.10.11.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 122 permit ip 10.10.11.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 122

!

banner motd ^CCC Unauthorized Access Prohibited !!!^C

!

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

access-class 6 in

exec-timeout 0 0

password 7 cisco

!

scheduler max-task-time 5000

end

rtr-denhaag#sh run

Building configuration...

Current configuration:

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname rtr-denhaag

!

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

enable password cisco

!

username vg password cisco

username luuk password cisco

!

ip subnet-zero

ip host rtr-medemblik-wan 80.242.226.70

ip host rtr-amsterdam-wan 213.84.179.64

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Firewall-1 tcp

ip inspect name Firewall-1 udp

ip inspect name Firewall-1 cuseeme

ip inspect name Firewall-1 ftp

ip inspect name Firewall-1 h323

ip inspect name Firewall-1 rcmd

ip inspect name Firewall-1 realaudio

ip inspect name Firewall-1 smtp

ip inspect name Firewall-1 streamworks

ip inspect name Firewall-1 vdolive

ip inspect name Firewall-1 sqlnet

ip inspect name Firewall-1 tftp

vpdn enable

no vpdn logging

!

async-bootp dns-server 194.134.5.5

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key EenHeleLeukeKey address 213.84.179.64

crypto isakmp key EenHeleLeukeKey address 80.242.226.70

!

crypto ipsec transform-set tunnel-set esp-3des esp-md5-hmac

!

crypto map telemostunnel 10 ipsec-isakmp

set peer 213.84.179.64

set transform-set tunnel-set

match address 102

crypto map telemostunnel 20 ipsec-isakmp

set peer 80.242.226.70

set transform-set tunnel-set

match address 103

!

interface Ethernet0

description connected to EthernetLAN-DenHaag

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip inspect Firewall-1 in

ip route-cache policy

!

interface ATM0

no ip address

ip nat outside

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username mdbdh@xs4all-fast-adsl password 7 124B5046410A0756

crypto map telemostunnel

!

router rip

version 2

passive-interface Dialer0

network 192.168.2.0

!

ip nat inside source list 122 interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.10.11.0 255.255.255.0 213.84.179.64

ip route 192.168.3.0 255.255.255.0 80.242.226.70

ip http server

!

access-list 6 permit 80.242.226.70

access-list 6 permit 212.129.148.153

access-list 6 permit 213.84.179.64

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 122 deny ip 192.168.2.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 122 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 122

!

banner motd ^CCCC Unauthorized Access Prohibited !!!^C

!

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

access-class 6 in

password cisco

!

scheduler max-task-time 5000

end

telemos · ‎07-13-2002

Does anyone has a sample configuration for two Cisco 826 routes

building a IPSEC tunnel

telemos · ‎07-24-2002

Problem solved.

changed ios to version 12.2