Re: Cisco 877 VPN - two remote routers connecting to head office

davieshuw · ‎11-25-2009

Hi

I have a head office (cisco 877) with 2 remotes sites (also 877's) that VPN'd into head office.

All was well, and I was able to ping from Remote site 1 to Remote site 2 via the head office router. Not the most efficient but at least it worked.

I added a 3rd remote site, and I think its screwed up my natting because now my remote sites cannot ping each other - but they can all connect to head office OK.

I've had a look at the config on the head office router and i can see that another 4 access rules have created themselves and i think they are my issue.

Head office is 192.168.16.5

Remote site 1 is 192.168.17.1

Remote site 2 is 192.168.18.1

Remote site 3 is 192.168.19.1

Below is access list from head office router (when the first two sites were pinging each other we only had access list 100 to 103.. since ive added the 3rd site we've now got 104, 105, 106 and 107!

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.16.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.16.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.16.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.16.0 0.0.0.255 192.168.19.0 0.0.0.255
no cdp run

Here are the access lists for Remote Site 1

access-list 100 remark SDM_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.17.0 0.0.0.255 any
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit udp host 217.34.91.65 any eq isakmp
access-list 101 permit esp host 217.34.91.65 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.255
dialer-list 1 protocol ip permit

and for Remote Site 2

access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 permit ip 192.168.18.0 0.0.0.255 any
dialer-list 1 protocol ip permit

i havent included the third as if I manage to site 1 and 2 pinging each other again then i'll work out the rest.

So... can anyone see why 192.168.17.1 cannot get to 192.168.18.1 via 192.168.16.5 and vice versa?

thanks!!!!!

Ivan Martinon · ‎12-02-2009

Dave,

Can you post the show crypto map from the 3 devices, as well as your "show run | inc nat" from the 3 devices too?

davieshuw · ‎12-09-2009

Hi there - sory i've had trouble logging in.. will post what you need shortly..

davieshuw · ‎12-15-2009

Head Office Router:

Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to Riversdale
        Peer = 81.137.240.200
        Extended IP access list 100
            access-list 100 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.
255
            access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.17.0 0.0.0.
255
        Current peer: 81.137.240.200
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group: group2
        Transform sets={
                ESP-3DES-SHA,
        }

Crypto Map "SDM_CMAP_1" 2 ipsec-isakmp
        Description: Tunnel to TyNewydd
        Peer = 79.141.130.151
        Extended IP access list 102
            access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.18.0 0.0.0.
255
            access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.
255
        Current peer: 79.141.130.151
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group: group2
        Transform sets={
                ESP-3DES-SHA,
        }

Crypto Map "SDM_CMAP_1" 3 ipsec-isakmp
        Description: Tunnel to81.179.234.6
        Peer = 81.179.234.6
        Extended IP access list 104
            access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.19.0 0.0.0.
255
        Current peer: 81.179.234.6
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group: group2
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map SDM_CMAP_1:
                Dialer0

Virtual-Access2

Remote site 1

Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to217.34.91.70
        Peer = 217.34.91.70
        Extended IP access list 102
            access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.
255
            access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.
255
        Current peer: 217.34.91.70
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group: group2
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map SDM_CMAP_1:
                Virtual-Access2

Dialer0

Remote Site 2

Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to217.34.91.70
        Peer = 217.34.91.70
        Extended IP access list 100
            access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.16.0 0.0.0.
255
            access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.17.0 0.0.0.
255
        Current peer: 217.34.91.70
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group: group2
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map SDM_CMAP_1:
                Virtual-Access2

Dialer0

site 3 is down at the moment - im investigating that.

davieshuw · ‎12-15-2009

Remote Site 1 sh run inc nat

encapsulation dot1Q 1 native
ip nat outside
ip nat inside
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
CoachHouse#

Remote Site 2 sh run inc nat

ip nat outside
ip nat inside
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
TyNant#

Cisco 877 VPN - two remote routers connecting to head office Part 2