Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
2
Replies

Cisco 2911 Site-to-Site and Easy VPN having weird troubles, please help.

ogme2000mx
Level 1
Level 1

‎11-29-2010 08:13 AM

Hi.

I hava a Cisco 2911 ISR and want to setup it to allow site to site VPNs from 6 remote sites, their public ip addresses are dynamic and they have SonicWall routers, I also want to allow VPN connections from remote users with the Cisco VPN client (using Easy VPN Server). I made most of my config using the Cisco Configuration Professional and I'm having a very strange problem. Let's say my local (Headquarters) network is 192.168.1.0/24 and my remote networks are 192.168.2.0/24, 192.168.3.0/24, ... , 192.168.7.0/24, and my Easy VPN clients get a 192.168.10/0 address. The problem is: if I make a connection from any local PC, let's say 192.168.1.43 to any remote PC, or even the SonicWall remote LAN IP Address (let's say 192.168.2.254) I can successfully connect, but if I want to connect from the remote site (let's say 192.168.4.60 in the case of site to site or 192.168.10.110 in the case of Easy VPN Client) to a local PC (let's say 192.168.1.19) I can't connect. What I'm missing or doing wrong? I'm attaching my current Running Config. Thanks in advance.

Regards.

Labels:
76071-RunningConfig_192.168.1.201.txt.zip
0 Helpful
2 Replies 2

praprama
Cisco Employee
Cisco Employee

‎11-30-2010 07:27 AM

Hi,

First off, i see you have an ACL defined in your dynamic crypto map. I have seen issues with passing traffic through VPN when this is done. Please try removing that and see how it goes!!

crypto dynamic-map SDM_DYNMAP_1 1
no match address VPN_Sites

For the remote access VPN clients, please share the output of "show cry isa sa" and "show cry ips sa".

Cheers,

Prapanch

0 Helpful

ogme2000mx
Level 1
Level 1
In response to praprama

‎11-30-2010 09:33 AM

Hi,

Thank you for your response.

This is actually working, I had to check it myself. I logged in to a remote computer using LogMeIn and everything was working. Some guys were connecting in the remote sites directly to the DSL modem, so they were not connecting through the sonicwall router, that was the problem, unfortunately there is no IT personnel in the remote sites, and nothing can't stop them to do what they want, lol.

The only thing that seems to be not working is the Easy VPN connection. I can connect to the HQ, and the router shows the connection UP and ACTIVE both in ISAKMP and IPSEC, but I can't ping the router from the remote client computer.

Cisco Configuration Professional has a monitor feature. When I ping the router from the Easy VPN Client, the tunnel shows decapsulating traffic activity but it doesn't sends the response, it doesn't shows encapsulating activity, and when I try to ping from the router to the client, it doesn't shows activity at all.

If someone sees something wrong in my config, please let me know.

P.D. The current running-config is the same as above.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents