Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA500 to cisco 887 site-to-site VPN issues

Hi guys. I'm trying to setup a site-to-site IPSEC tunnel between an ISA500 and Cisco 887. I've configured the tunnel at each end, and it seems to be up. Running "show crypto engine connections active" on the 800 and the decrypt count goes up when I try and ping from the ISA500 side, but the encrypt count never increases.

The ISA500 LAN is on 200.200.200.0/24 (which I cannot change for political or technical reasons easily) and the Cisco 800 LAN is on 10.10.1.0/24. Would the ISA's side's LAN range be causing an issue?

I'm happy to provide a sanitized copy of the 800's config if it would help.

4 REPLIES
Hall of Fame Super Silver

If the decrypt counter goes

If the decrypt counter goes up it does sound like they are sending through the tunnel to you. And if the encrypt counter does not go up then you are not sending response to them. My first suggestion would be to check your configuration and to make sure that the access list that you use to identify traffic for encryption does match the access list used on the other side. My second suggestion would be to check your routing logic and to make sure that you are routing to the source address of the ping in a way that will take the traffic through the tunnel.

 

HTH

 

Rick

New Member

Thanks Richard, it's

Thanks Richard, it's encouraging that I'm not completely loosing my mind.

Unfortunately I must be missing something silly because I'm just not seeing the problem :( If someone could take a quick look at the config below (I've removed a lot of it and only left what might be relevant) and give me a pointer in the right direction - I feel like I'm going a bit googly eyed trying to find the issue :(


<code>

!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
!
!
ip dhcp excluded-address 10.10.1.1 10.10.1.50
!
ip dhcp pool data
 import all
 network 10.10.1.0 255.255.255.0
 dns-server 10.10.1.1
 default-router 10.10.1.1
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key REDACTED address REDACTED   no-xauth
!
!
crypto ipsec transform-set tr-aes256-sha esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
!
crypto map cm01 100 ipsec-isakmp
 set peer REDACTED
 set transform-set tr-aes256-sha
 match address 101
 reverse-route
!
!
!
!
!
interface Loopback0
 ip address REDACTED 255.255.255.255
 crypto map cm01
!
interface ATM0
 no ip address
 ip mtu 1500
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip unnumbered Loopback0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname REDACTED
 ppp chap password 0 REDACTED
 ppp pap sent-username REDACTED password 0 REDACTED
 ppp ipcp dns request
 no cdp enable
!
ip nat inside source route-map nonat interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 101 remark VPN
access-list 101 permit ip 10.10.1.0 0.0.0.255 200.200.200.0 0.0.0.255
access-list 105 remark Traffic to NAT
access-list 105 deny   ip 10.10.1.0 0.0.0.255 200.200.200.0 0.0.0.255
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
 match ip address 105
!
!
!
end</code>

Hall of Fame Super Silver

The first things that I

The first things that I notice are that you have the crypto map applied to the loopback interface and I believe it should be on the outbound interface. So I would move  crypto map cm01 from the loopback interface to the dialer interface.

 

HTH

 

Rick

New Member

Thank you Rick, I really

Thank you Rick, I really appreciate your help. That's now working perfectly :D

57
Views
0
Helpful
4
Replies
CreatePlease login to create content