cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
Avisos
¡Bienvenido a la nueva Comunidad de Soporte de Cisco! Nos encantaría conocer su opinión
New Member

VPN - SRP527W <> Cisco 857 establecido pero sin trafico

Estoy haciendo una VPN IPSEC entre un SRP527W y un Cisco 857, el tunel aparentemente se establece pero no responde el ping entre un host de una lan y un host de la otra, curisosamente si se mira en las estadisticas del SRP527->VPN, haciendo un ping desde la red cisco a la SRP genera trafico en el SRP de RX pero no de TX que permanece siempre a 0.

Adjunto configuraciones:

CISCO

-------------------------------------------------------------------------------------------------------------

Current configuration : 6644 bytes

!

! Last configuration change at 12:58:50 CET Thu Aug 4 2011 by admin

! NVRAM config last updated at 11:30:24 CET Thu Aug 4 2011 by admin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname DBPCentral

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 [pass]

enable password 7 [pass]

no aaa new-model

clock timezone Spain 1

clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00

!

crypto pki trustpoint TP-self-signed-1149929476

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1149929476

revocation-check none

rsakeypair TP-self-signed-1149929476

!

!

crypto pki certificate chain TP-self-signed-1149929476

certificate self-signed 01

  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31313439 39323934 3736301E 170D3131 30383033 31343432

  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31343939

  32393437 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CB3C AD97BEF5 FB479D78 6857BCB0 AB0266FF 4371406B 38FB5769 BF719F34

  6FED3219 61927870 CE110BE1 B59D4912 75C80974 8BDBFD52 C87B21B9 8EF76429

  BA4E1439 1A06B728 A85C23D3 014EF829 FDD3579D 3C4ADCB7 1D9554C7 83AE1712

  3C4F8C4D C9532EAB 7651257C FF553C0F BC2D528E 199D6249 2D8A0F76 C8748B7E

  94B50203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603

  551D1104 0E300C82 0A444250 43656E74 72616C30 1F060355 1D230418 30168014

  F8E51B5B 523E1AE1 EFC40DC7 181F89DD 389917AF 301D0603 551D0E04 160414F8

  E51B5B52 3E1AE1EF C40DC718 1F89DD38 9917AF30 0D06092A 864886F7 0D010104

  05000381 810062E6 610DC292 1D2D6424 C2B304E9 EF62AADD A8B1CACB 978BF6ED

  037EDAB0 2593C8AD A811812F D9384CFB BBD1DCC3 709B3A6F D8D8A5E2 1DD6888E

  BDE7311D FC44B5E7 AD2CB1B8 9021F3EE F4C0B24C 86BF1D96 51CFAFE0 9C24F51A

  FE1BE200 51430A93 BEB9E3AA 2F5FB8B2 11C2C2BA 56DE85A6 01D0748E 63145077

  CC59E0A0 7DF5

        quit

dot11 syslog

!

!

ip cef

no ip bootp server

ip name-server 208.67.222.222

ip name-server 156.154.70.1

ip ddns update method dyndnsupdate

HTTP

  add [url]

interval maximum 1 0 0 0

!

!

vpdn enable

!

!

!

username [username] privilege 15 password 7 [pass]

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key VoIPDBPtunnel address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set VoIPtunnel esp-3des esp-sha-hmac

!

crypto dynamic-map VoIP 15

set security-association lifetime seconds 7800

set transform-set VoIPtunnel

match address 110

reverse-route

!

!

crypto map vpnsandra 14 ipsec-isakmp dynamic VoIP

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode adsl2+

!

interface ATM0.1 point-to-point

ip nat outside

ip virtual-reassembly

pvc 8/32

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface Vlan1

ip address 172.26.153.1 255.255.255.0

ip route-cache flow

!

interface Dialer0

mtu 1492

ip ddns update hostname [hostname]

ip ddns update dyndnsupdate

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname adslppp@telefonicanetpa

ppp chap password 7 0207004807161F31

crypto map vpnsandra

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

ip route 172.26.0.0 255.255.255.0 172.26.153.2

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map NONAT interface Dialer0 overload

!

logging trap debugging

access-list 1 permit 172.26.153.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit tcp any any eq 22

access-list 101 permit udp any any eq isakmp

access-list 110 permit ip 172.26.153.0 0.0.0.255 192.168.153.0 0.0.0.7

access-list 110 permit ip 192.168.153.0 0.0.0.7 172.26.153.0 0.0.0.255

access-list 111 deny   ip 172.26.153.0 0.0.0.255 192.168.153.0 0.0.0.255

access-list 111 permit ip 172.26.153.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community rdbp504 RO

snmp-server enable traps pw vc

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ipsla

no cdp run

route-map NONAT permit 10

match ip address 111

!

!

control-plane

!

banner login ^Ctest

test

^C

!

line con 0

exec-timeout 0 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password 7 [pass]

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

no process cpu extended

no process cpu autoprofile hog

sntp logging

sntp server 130.206.3.166

end

-------------------------------------------------------------------------------------------------------------------

SRP 527

ike.png

ipsec1.pngipsec2.png

1 RESPUESTA
New Member

VPN - SRP527W <> Cisco 857 establecido pero sin trafico

Buenos Dias Sr. Bocos,

verificamos la configuracion que ud realizo en el SRP527W y esta bien hecha; nosotros no soportamos el Cisco 857, sin embargo bajo la configuracion del Cisco 857 notamos que en la siguiente configuracion:

crypto dynamic-map VoIP 15

set security-association lifetime seconds 7800

set transform-set VoIPtunnel

match address 110

reverse-route

se hace referencia al access-list 110, la cual solo deberia de permit trafico local hacia el remoto. El access-list que ud tiene configurado contraria una access-list con la otra, esto siginifica que solo una de las access-list se deberia de dejar, para estos efectos se deberia de dejar la que permita trafico del direccionamiento local al remoto.

access-list 110 permit ip 172.26.153.0 0.0.0.255 192.168.153.0 0.0.0.7

access-list 110 permit ip 192.168.153.0 0.0.0.7 172.26.153.0 0.0.0.255

Espero le sea de gran ayuda.

Atentemente,

Esteban Carranza Ch.

Cisco Small Business.

c631570.

1435
Visitas
0
ÚTIL
1
Respuestas
CrearPor favor para crear contenido