Cisco VPN Site-to-Site not able to access remote

giorgio12217357 · ‎01-02-2012

A <---> B

A: 192.168.100.0

Gateway: 192.168.100.254

Gateway: 192.168.100.11

B: 192.168.101.0

Gateway: 192.168.101.254

The site-to-site works fine so far, the only problem is that the Router B cannot access site A; the router A is not able to access site B neither.

Not able to PING, not able to access tftp, not able to send syslog.

My VPN config is pretty simple, just following the Cisco VPN Sample configuration.

Any idea?

Thanks in advance.

P.C.

ajay chauhan · ‎01-02-2012

You should post both end configuration.

giorgio12217357 · ‎01-02-2012

! ==============================
!

! Router A (PIX v7.1)

!

! ==============================

hostname PIX

!

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.23

vlan 23

nameif inside

security-level 60

ip address 192.168.23.254 255.255.255.0

!

interface Ethernet1.28

vlan 28

nameif VoIP

security-level 80

ip address 192.168.28.254 255.255.255.0

!

ftp mode passive

access-list acl_ZeroNAT_inside extended permit ip 192.168.23.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list acl_ZeroNAT_inside extended permit ip 192.168.23.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list acl_ZeroNAT_VoIP extended permit ip 192.168.28.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list acl_ZeroNAT_VoIP extended permit ip 192.168.28.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list acl_interface_outside_in extended permit tcp any interface outside eq www

access-list acl_interface_outside_in extended permit tcp any interface outside eq ftp

access-list acl_interface_outside_in extended permit tcp any interface outside eq ftp-data

access-list acl_interface_inside_in extended permit ip any any

access-list acl_interface_VoIP_in extended deny ip host 255.255.255.255 any

access-list acl_interface_VoIP_in extended permit ip any any

access-list acl_interface_outside_outbound extended permit udp host 168.95.1.1 eq domain any

access-list acl_interface_outside_outbound extended permit udp host 168.95.192.1 eq domain any

access-list acl_interface_outside_outbound extended permit esp any any

access-list acl_interface_outside_outbound extended permit udp any any eq isakmp

access-list acl_interface_outside_outbound extended permit udp any eq bootps any eq bootpc

access-list acl_interface_outside_outbound extended permit icmp any any echo-reply

access-list acl_interface_outside_outbound extended permit icmp any any time-exceeded

access-list acl_interface_outside_outbound extended permit icmp any any unreachable

access-list acl_interface_outside_outbound extended deny ip 10.0.0.0 255.0.0.0 any

access-list acl_interface_outside_outbound extended deny ip 172.16.0.0 255.255.0.0 any

access-list acl_interface_outside_outbound extended deny ip 127.0.0.0 255.0.0.0 any

access-list acl_interface_outside_outbound extended deny ip host 255.255.255.255 any

access-list acl_interface_outside_outbound extended permit ip any any

access-list acl_VPN_L2L_CryptoMap extended permit ip 192.168.23.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list acl_VPN_L2L_CryptoMap extended permit ip 192.168.28.0 255.255.255.0 192.168.8.0 255.255.255.0

nat-control

global (outside) 1 interface

nat (inside) 0 access-list acl_ZeroNAT_inside

nat (inside) 1 192.168.23.0 255.255.255.0

nat (VoIP) 0 access-list acl_ZeroNAT_VoIP

nat (VoIP) 1 192.168.28.0 255.255.255.0

access-group acl_interface_outside_in in interface outside

access-group acl_interface_outside_outbound out interface outside

access-group acl_interface_inside_in in interface inside

access-group acl_interface_VoIP_in in interface VoIP

aaa authentication ssh console LOCAL

crypto ipsec transform-set TS-3DES esp-3des esp-sha-hmac

crypto ipsec transform-set TS-AES esp-aes-256 esp-sha-hmac

crypto dynamic-map DM-VPN 1 set transform-set TS-AES

crypto dynamic-map DM-VPN 1 set reverse-route

crypto map Map-VPN 10 match address acl_VPN_L2L_CryptoMap

crypto map Map-VPN 10 set peer 180.000.000.000

crypto map Map-VPN 10 set transform-set TS-3DES

crypto map Map-VPN 20 ipsec-isakmp dynamic DM-VPN

crypto map Map-VPN interface outside

isakmp identity address

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

isakmp policy 20 lifetime 3600

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 3600

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal 20

tunnel-group 180.000.000.000 type ipsec-l2l

tunnel-group 180.000.000.000 ipsec-attributes

pre-shared-key *

management-access inside

! ==============================
!

! Router B

!

! ==============================

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa session-id common

memory-size iomem 25

ip cef

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.8.1 192.168.8.50

ip dhcp excluded-address 192.168.8.251 192.168.8.254

!

ip dhcp pool Home

network 192.168.8.0 255.255.255.0

default-router 192.168.8.254

dns-server 192.168.8.254

!

ip name-server 168.95.1.1

ip name-server 168.95.192.1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address 181.000.000.000

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer 181.000.000.000

set transform-set ESP-3DES-SHA

match address 100

!

interface Ethernet0

description outside$FW_OUTSIDE$

ip address dhcp client-id Ethernet0

ip access-group 103 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no ip mroute-cache

half-duplex

no cdp enable

crypto map SDM_CMAP_1

!

interface FastEthernet0

description inside$FW_INSIDE$

ip address 192.168.8.254 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http access-class 11

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload

ip dns server

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.8.0 0.0.0.255

access-list 11 permit 192.168.8.0 0.0.0.255

access-list 11 permit 192.168.23.0 0.0.0.255

access-list 11 permit 192.168.25.0 0.0.0.255

access-list 11 deny any

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.71

access-list 102 permit udp host 220.130.158.71 eq ntp host 192.168.8.254 eq ntp

access-list 102 remark Auto generated by SDM for NTP (123) 114.33.9.11

access-list 102 permit udp host 114.33.9.11 eq ntp host 192.168.8.254 eq ntp

access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.52

access-list 102 permit udp host 220.130.158.52 eq ntp host 192.168.8.254 eq ntp

access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.72

access-list 102 permit udp host 220.130.158.72 eq ntp host 192.168.8.254 eq ntp

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp host 168.95.192.1 eq domain any

access-list 103 permit udp host 168.95.1.1 eq domain any

access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.71

access-list 103 permit udp host 220.130.158.71 eq ntp any eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 114.33.9.11

access-list 103 permit udp host 114.33.9.11 eq ntp any eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.52

access-list 103 permit udp host 220.130.158.52 eq ntp any eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.72

access-list 103 permit udp host 220.130.158.72 eq ntp any eq ntp

access-list 103 permit ahp host 123.193.132.46 any

access-list 103 permit esp host 123.193.132.46 any

access-list 103 permit udp host 123.193.132.46 any eq isakmp

access-list 103 permit udp host 123.193.132.46 any eq non500-isakmp

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.23.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 103 deny ip 192.168.8.0 0.0.0.255 any

access-list 103 permit udp any eq bootps any eq bootpc

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 permit tcp any any eq 22

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip any any log

route-map SDM_RMAP_1 permit 1

match ip address 101

ajay chauhan · ‎01-02-2012

where are these subnets ?

A: 192.168.100.0

Gateway: 192.168.100.254

Gateway: 192.168.100.11

B: 192.168.101.0

Gateway: 192.168.101.254

giorgio12217357 · ‎01-03-2012

Sorry for the confusion. The following are actual subnets, please ignore 192.168.100.0 and 192.168.101.0.

A: 192.168.23.0

Gateway: 192.168.23.254

Gateway: 192.168.23.11

B: 192.168.8.0

Gateway: 192.168.8.254

In site A, my laptop can ssh to router B.

In site B, my laptop can ssh to router A.

But

Router A CANNOT access site B.

Router B CANNOT access site A.

Thanks.

ajay chauhan · ‎01-03-2012

RouterB side 2nd subnet is not added for VOIP.

access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255

post output of show crypto ipsec sa ? do you see if you tunnel is UP ?

Thanks

Ajay

giorgio12217357 · ‎01-03-2012

Thanks Ajay,

The vpn tunnel is working fine and all clients in site A are able to access site B, vice versa.

The only problem is Router B not able to PING or tftp to a server on site A (or anything in Site A), vice versa.

for example, I have a syslog server (192.168.23.100), but router B (192.168.8.254) is not able to access this machine.

Thanks.