871 tunnel with soho91 - active, but nog working

a.goudriaan · ‎12-23-2005

Tunnel is active and a ping from the 871 lan to the 91 lan goes through the tunnel (the 91 receives the packets), but the 871 lan receives nothing (the 91 sends the packets through the tunnel)

the 91 has three other good working tunnels with other routers

I'm sure, the fault is on the 871, but I can't find it.

Please help.

Best regards,

Alex

Relevant info of the config on the 871:

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key *** address 82.x.x.38

crypto ipsec transform-set cryptoset esp-3des esp-md5-hmac

!

crypto map VPNLan 20 ipsec-isakmp

set peer 82.170.117.38

set transform-set cryptoset

match address 115

!

interface Loopback0

ip address 1.1.x.x.x.255.0

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 193.173.x.x.x.255.248

ip access-group 101 in

ip verify unicast reverse-path

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map VPNLan

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.x.x.x.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

ip nat inside source route-map vpnnonat interface FastEthernet4 overload

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 194.151.228.34 eq domain host 193.173.97.158

access-list 101 permit udp host 194.151.228.18 eq domain host 193.173.97.158

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any traceroute

access-list 101 permit tcp any any eq 22

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq 10000

access-list 101 permit tcp any any eq 1723

access-list 101 permit tcp any any eq 139

access-list 101 permit udp any any eq netbios-ns

access-list 101 permit udp any any eq netbios-dgm

access-list 101 permit gre any any

access-list 101 remark *** TOEGANG VOOR LOKALE NETWERKEN

access-list 101 permit ip 192.168.30.0 0.0.0.255 any

access-list 101 permit ip host 82.170.117.38 any

access-list 101 permit ip host 82.170.117.35 any

access-list 101 remark *** WEIGER REST

access-list 101 deny ip any any

access-list 115 remark *** encrypt private to private traffic

access-list 115 remark *** to argobest

access-list 115 permit ip 192.168.14.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 115 deny ip 192.168.14.0 0.0.0.255 any

access-list 116 remark *** except private to private traffic from nat

access-list 116 remark *** to argobest

access-list 116 deny ip 192.168.14.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 116 permit ip 192.168.14.0 0.0.0.255 any

access-list 117 remark *** private to private traffic through loopback

access-list 117 remark *** to argobest

access-list 117 permit ip 192.168.14.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 117 deny ip 192.168.14.0 0.0.0.255 any

no cdp run

route-map vpnnonat permit 20

match ip address 116

!

route-map nonat permit 10

match ip address 117

set ip next-hop 1.1.1.2

a.goudriaan · ‎12-24-2005

The problem is not the cisco router, but the la-110 from RAD Data Communications. I found on a Dutch forum that the firewall is on. although it's off. You have to add two rules on the la-110 and the Cisco will have no problems at all.

Just via the www-interface it's possible and for me it's impossible to get there, because I'm not there.

Now my question:

I'd like to put a port forwarding on the Cisco to the la-110. That's outside to outside. Is that possible?