03-01-2007 09:09 AM - edited 02-21-2020 01:25 AM
I posted here and got such a good response to my last issue - I hope I am not being a pest.
** Main Location no issues out to internet
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map bhsn 10 ipsec-isakmp
description VPN to PARC
set peer X.X.X.X
set transform-set myset
match address 100
crypto map bhsn 20 ipsec-isakmp
description VPN to Corneilia
set peer X.X.X.X
set transform-set myset
match address 102
crypto map bhsn 30 ipsec-isakmp
description VPN to OAK
set peer X.X.X.X
set transform-set myset
match address 103
crypto map bhsn 40 ipsec-isakmp
description VPN to Wells
set peer X.X.X.X
set transform-set myset
match address 104
!
!
!
interface FastEthernet0
description inside interface
interface FastEthernet4
description 5Mb WAN to Primelink
ip address X.X.X.X 255.255.255.128 secondary
ip address X.X.X.X 255.255.255.128
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
description Default Gateway fa0-fa3
ip address 2X.X.X.X 255.255.255.248 secondary
ip address 192.168.0.11 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1100
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any 192.168.6.0 0.0.0.255
access-list 103 permit ip any 192.168.7.0 0.0.0.255
access-list 104 permit ip any 192.168.5.0 0.0.0.255
access-list 105 permit tcp any any eq 9903
access-list 105 permit tcp any any eq 9902
access-list 105 permit tcp any any eq 9901
access-list 105 permit udp any any eq 9901
access-list 105 permit udp any any eq 9902
access-list 105 permit udp any any eq 9903
no cdp run
route-map nonat permit 10
match ip address 101
*********************
The Remote Routers however can't seem to get trace route, and the accounting program isn't working, POP3 Mail, and Updates. Here is the config for one of the Remotes.
interface FastEthernet4
description WAN connection to PrimeLink$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.224
ip virtual-reassembly
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
description Default Gateway fa0-fa3$FW_INSIDE$
ip address 192.168.1.2 255.255.255.0
ip directed-broadcast
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any any eq 9901
access-list 101 permit tcp any any eq 9902
access-list 101 permit tcp any any eq 9903
access-list 101 permit udp any any eq 9901
access-list 101 permit udp any any eq 9902
access-list 101 permit udp any any eq 9903
no cdp run
**
03-04-2007 05:03 AM
Hi,
You need to give us more information about the problem. Are you able to ping across the tunnel ?
Which ip address you are doing a traceroute to..? Where does it go ?
-Kanishka
03-05-2007 12:17 PM
Here is more information:
Have 4 remote locations and 1 main.
**Currently Remotes can't access each other not even ping. IE from remote 1: 192.168.1.X can't ping remote 192.168.3.X.
All Remotes can access Main location. All internet traffic has to go through main router. 192.168.0.11
** POP MAIL can't be accessed from Remotes.
** Account Software can't be used at remotes. The accounting software is installed on local machines but access information from request2.paydata.com and request.paydata.com remotes can't trace to this fails at main router.
03-05-2007 12:29 PM
Hi,
Couldn't find 192.168.3.0 in the config you pasted. Assuiming, its one of the remote n/w , you are missing the deny statements in the access-list 101. e.g.
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
You have to put the similar statements for every remote router.
*Please rate if helped.
-Kanishka
03-05-2007 02:19 PM
Thanks for that help however what about not being able to access certain items like the accounting software and Pop Mail which should all come from the main router? All internet traffic needs to go through the main router. I tried putting in the ports for the accounting software but that didn't work. Am I missing something to allow the accounting software?
03-05-2007 03:49 PM
Hi,
On the vlan in terface on Main router, the tcp mss is set to a very low value. Some applications require the packet size to be greater.
interface Vlan1
ip tcp adjust-mss 1100
exit
Try increasing the tcp mss size to see if there's any success.
-Kanishka
03-05-2007 06:26 PM
bumped
ip tcp adjust-mss 1400
Still no luck if I bump any more can't get into database that is at main site from the remote.
database gives socket error. They said check ports which I have open on both ends.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: