Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco site-to-site VPN behind non cisco VDSL modem

Hello,

I had a working site-to-site between a Cisco 1841 (ios 12.4) and a cisco 876 router (ios 12.3)...

The problem started when the 876 part upgrade to vdsl so I can't use the 876 to connect so now I'm behind an ISP's vDSL modem...

I follow the tempate at

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml

and have a site-to-site VPN connection, the only problem is while I can ping and access from 876 to 1841 , I can't ping or access (except for the 876) from 1841 to 876...

I would appreciate any help or hint...

Regards

EDIT: I don't know if helps but on 876 I'm using double NAT, didn't switch modem to bridge mode, but since it's a tunnel, I don't think it's an issue...

vlan2 taking an IP of 192.168.254.0 range and modem has 192.168.254.254.

here is the result of "sh ip route"

     10.0.0.0/24 is subnetted, 2 subnets

D       10.10.10.0 [90/2818560] via 10.0.0.2, 01:10:03, Tunnel0

C       10.0.0.0 is directly connected, Tunnel0

C    192.168.254.0/24 is directly connected, Vlan2

S    192.168.2.0/24 is directly connected, Tunnel0

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [254/0] via 192.168.254.254

Also when I issue "sh crypto isakmp sa" I get in src the local IP address

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

83.xxx.xxx.xxx  192.168.254.17  QM_IDLE           2004 ACTIVE

Here is the nat part of 876

!

crypto map vpnmap1 local-address Vlan2

!

interface Vlan1

description --- LAN ---

ip address 192.168.3.253 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface Vlan2

description --- WAN ---

ip address dhcp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

crypto map vpnmap1

!

ip route 192.168.2.0 255.255.255.0 Tunnel0

!

ip nat inside source route-map NAT interface Vlan2 overload

!

route-map NAT permit 10

match ip address PAT

match interface Vlan2

!

ip access-list extended PAT

deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.254.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!

Message was edited by: gerasimos_h

Everyone's tags (3)
2 REPLIES
Community Member

Cisco site-to-site VPN behind non cisco VDSL modem

The 876 initiating would work since it's initiating. It sounds like you have the peer IP address on the 1841 pointing to the modem the 876 is plugged into. If the modem holds the public IP, it's not going to be able to terminate the VPN session from the 1841. Try enabling bridge mode so that the 876 gets a public IP and then re-initiate from the 1841.

Thank you.

Joe

Community Member

Cisco site-to-site VPN behind non cisco VDSL modem

Thanks for the answer,

The 876 connects to 1841 to be accurate...

Also I'm trying to avoid bridging the modem, but now I realize that I'm not going to avoid it after all, even after I was so close to the solution...

Thanks

489
Views
0
Helpful
2
Replies
CreatePlease to create content