11-15-2006 12:47 PM - edited 03-03-2019 02:43 PM
I have recently setup a pair of 837 routers and created a vpn between our main site a and site b.
The tunnel works perfectly and both company lans can ping each other. The problem that I am having is that site b can only ping site a's lan and cannot ping the internet.
From the router I can resolve and ping internet addresses ok. (eg ping http://www.google.com)
If I try pinging the internet from the router and telling the router to send it from its ethernet interface I get 0 replys. Originally I throught that the problem would be acl related so I tried using loose acl restrictions with no luck and am currently not tieing my interfaces to the acls. Any idea what I can try next.
Thanks Justin
Here is my current config
no aaa new-model
ip subnet-zero
ip name-server 139.x.x.4
ip dhcp excluded-address 172.16.3.142
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 0 iwm04vpnkey1 address 165.x.x.201 no-xauth
!
!
crypto ipsec transform-set motorsvpna esp-3des esp-sha-hmac
!
crypto map iwmmap client authentication list default
crypto map iwmmap 10 ipsec-isakmp
set peer 165.228.233.201
set transform-set motorsvpna
match address 110
!
!
!
!
interface Ethernet0
ip address 172.16.3.142 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
speed auto
half-duplex
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer1
ip address 165.228.x.x.255.0.0
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname keppel20@xx.telstra.net
ppp chap password xxx
ppp pap sent-username kep@xxx.telstra.net password xxx
crypto map iwmmap
!
router rip
redistribute connected
network 172.16.0.0
!
ip nat inside source list 150 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.16.1.0 255.255.255.0 165.228.233.201
ip http server
no ip http secure-server
!
access-list 101 permit ahp host 165.228.98.236 any
access-list 101 permit esp host 165.228.98.236 any
access-list 101 permit udp host 165.228.98.236 any
access-list 101 permit icmp host 165.228.98.236 any
access-list 101 permit ip host 165.228.98.236 any
access-list 101 permit ip host 165.228.233.201 any
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 101 permit udp host 165.228.233.201 any eq isakmp
access-list 101 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
access-list 102 permit ip 172.16.2.0 0.0.0.255 any
access-list 102 permit ip 172.16.3.0 0.0.0.255 any
access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 150 deny ip 172.16.1.0 0.0.0.255 any
access-list 150 deny ip 172.16.2.0 0.0.0.255 any
access-list 150 deny ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
transport input all
line vty 0 4
exec-timeout 120 0
password xxx
login local
length 0
!
scheduler max-task-time 5000
!
end
11-15-2006 01:05 PM
Justin
The problem is that you are not translating the addresses of the subnet of Ethernet 0. You do have it set up for address translation:
interface Ethernet0
ip address 172.16.3.142 255.255.255.0
ip nat inside
but the access list that controls address translation denies that subnet:
access-list 150 deny ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip any any
Since the interface is using private address space but the addresses are not translated the packets get sent out but outside devices do not have a route to the addresses to send the response.
HTH
Rick
11-16-2006 01:56 PM
Rick,
Thankyou for your advise I now understand exactly why it is not working, However
If I remove the access-list 150 deny ip 172.16.3.0 0.0.0.255 any
The routers eth interface (and pc's) can now ping and access the internet but I can no longer ping my private vpn subnets. eg ping 172.16.1.1 will stop working
I look forward to hearing your ideas
Thanks
Justin
11-16-2006 02:19 PM
Justin
I am not clear where 172.16.1.1 is but if translating addresses where that is the destination causes a problem then the solution is to put a line into the access list that denies traffic with that as the destination (or destination subnet).
In this case it is less useful to have the access list deny based on source address (as your original access list did) and more useful to have the access list deny for certain destinations (especially destinations within your own network).
HTH
Rick
11-17-2006 12:22 AM
All fixed thanks rick.
The 172.16.1.0 is a subnet at our main site.
instead of haveing access-list 150 deny ip 172.16.3.0 0.0.0.255 any I needed to have 150 deny ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Once again thanks for your help
Justin
11-17-2006 02:49 AM
Justin
I am glad that I was able to help you get your problem resolved. And thanks for posting back to the forum to indicate what resolved your problem. It makes the forum more useful when people can read about a problem and read what resolved the problem. It would make this thread even more useful if you would use the check mark to indicate that the problem was resolved so people would clearly see the indication that there was a solution.
HTH
Rick
11-23-2006 03:49 AM
I have a similar problem. Below the bare config with just the ADSL stuff in it. I can ping IP addresses from the workstation and router but cannot resolve DNS or browse internet from the workstation.
Here config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.18.46.1 172.18.46.128
!
ip dhcp pool nha-brad-test
import all
network 172.18.46.0 255.255.255.0
domain-name something.com
default-router 172.18.46.1
netbios-name-server 172.18.18.65 172.18.16.65
dns-server 196.x.x.206
!
!
ip cef
ip name-server 196.x.x.13
ip name-server 196.x.x.206
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
ip address 172.18.46.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
speed auto
half-duplex
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
!
interface Dialer0
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 172.18.46.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
password 7
login
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179767
ntp source Dialer1
ntp peer 196.x.x.17 prefer
end
11-23-2006 06:50 AM
Brad
I am not sure that I really understand your problem. I believe that you are saying that from both the router and from workstations connected on its Ethernet you can ping destinations in the Internet if you specify their IP address but if you ping them by name it fails. If you use your web browser and put in the IP address does it work?
The original post was clearly a problem with address translation. I do not believe that your problem is the same. I have looked at your configuration and do not see significant problems with address translation in it. And if it were a problem with address translation you would not be able to ping anything in the Internet. The symptoms that you describe sound like a problem with DNS. Are the workstations configured with the same name server information that is in the router config? Are the addresses configured in the router for name servers correct? Is there any access list anywhere that could be interfering with DNS?
HTH
Rick
11-23-2006 12:25 PM
Hi Rick,
After looking at the problem again, it appears to be DNS. I do a nslookup for www.cisco.com, it does not resolve BUT if I do:
nslookup www.cisco com 196.7.0.138(DNS SERVER)
....this resolves. From the config I have DNS server entries added, should the router not be able to do the DNS lookups and reverse lookups on behalf of the workstations?
Should I have an access list to permit this out?
eg. access list 101 permit ip any any eq 53
If the access list does need amendment do we need to NAT this out as well?
How do I get DNS resolution to work?
Do I configure DNS manually on every workstation to use that of the ISP?
Lots of FAQ's I know ...but I am really stuck and the bosses are getting bit annoyed. Once this fixed, I need to get this router to VPN to our CO as at a remote location via internet.
11-24-2006 12:53 AM
OK .... making progress. I got DNS to work via the router. enabled dns nsap. Not really sure what it does but it works. Will look it up in a minute. Able to get to the internet now.
Now the tricky part ....VPN to my office network from the router.
Enabled VPN stuff on the router. when i do a "show crypto isakmp sa" i see nothing on the router.
what could be wrong now?
12-08-2006 05:11 AM
Hi Brad,
Can you post the cfg with the crypto lines in it?
Thanks
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide