Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Similar Configs on 2 Routers, one works, one not w/ASA

I am trying to figure out and learn why I have one functional and one non-functional tunnel between two routers. Both are 1721, same IOS ver. One is local testing, other is remote. Problem is that I can send to remote router packets, but get no return;

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 2674, #pkts decrypt: 2674, #pkts verify: 2674

My guess is that remote router has this one line added, where as the local has no similar ACL;

access-list 130 permit ip 175.10.10.0 0.0.0.31 any

I would really like to understand why this is. I am an ACL dummy of sorts. Does this one ACL for Router_P screw up the NAT?

Router_S Side:

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.224

!

access-list 1721_S extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224

!

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

!

crypto map OUTSIDE_MAP 1 match address 1721_S

crypto map OUTSIDE_MAP 1 set peer 175.12.10.2

crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

Router_P Side:

object network obj-175.10.10.0

subnet 175.10.10.0 255.255.255.224

!

access-list 1721_P extended permit ip 192.168.2.0 255.255.255.0 175.10.10.0 255.255.255.224

!

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-175.10.10.0 obj-175.10.10.0 no-proxy-arp route-lookup

!

crypto map OUTSIDE_MAP 3 match address 1721_P

crypto map OUTSIDE_MAP 3 set peer 7x.xx.xx.192

crypto map OUTSIDE_MAP 3 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

________________________________________________________________________________________________________________

Router_S Side:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ********* address 192.168.0.3

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto map CRYPTO_IPSEC 11 ipsec-isakmp

set peer 192.168.0.3

set transform-set IPSEC

match address 120

!

ip nat inside source route-map NONAT interface FastEthernet0 overload

!

access-list 110 permit icmp any any

access-list 110 permit ip any any

access-list 120 permit ip 192.168.1.0 0.0.0.31 192.168.2.0 0.0.0.255

access-list 130 deny   ip 192.168.1.0 0.0.0.31 192.168.2.0 0.0.0.255

!

route-map NONAT permit 10

match ip address 130

________________________________________________________________________________________________________________

Router_P Side:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ********** address 7x.xx.xx.192

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto map CRYPTO_IPSEC 11 ipsec-isakmp

set peer 7x.xx.xx.192

set transform-set IPSEC

match address 120

!

ip nat inside source route-map NONAT interface FastEthernet0 overload

!

access-list 90 permit any

access-list 110 permit icmp any any

access-list 110 permit ip any any

access-list 120 permit ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

access-list 130 permit ip 175.10.10.0 0.0.0.31 any

access-list 130 deny   ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

!

route-map NONAT permit 10

match ip address 130

2 REPLIES
Hall of Fame Super Silver

Re: Similar Configs on 2 Routers, one works, one not w/ASA

In the first set of config section you posted, the cryptomap on Router_S says match address 1721_S (192.168.2.0 to 192.168.1.0). Meanwhile the Router_P side says match address 1721_P (192.168.2.0 to 175.10.10.0). So for starters that won't work - they need to be symmetrical.

You seem to have a similar issue in the second set.

I think a diagram showing what you want to achieve would help.

New Member

Re: Similar Configs on 2 Routers, one works, one not w/ASA

Sorry should have explained further. This is essentially hub and spoke, with ASA at center, with two 1721 IOS routers as spokes. One 1721 works, other does not.

This gives me both tunnel access and internet;

access-list 110 permit ip any any

access-list 120 permit ip 192.168.1.0 0.0.0.31 192.168.2.0 0.0.0.255

access-list 130 deny   ip 192.168.1.0 0.0.0.31 192.168.2.0 0.0.0.255

But on the other router....

This gives me internet access, but no tunnel access (no encaps from router to ASA)

access-list 110 permit icmp any any

access-list 110 permit ip any any

access-list 120 permit ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

access-list 130 deny   ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

But this gives me tunnel access, just no internet;

access-list 110 permit icmp any any

access-list 110 permit ip any any

access-list 120 permit ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

access-list 130 permit ip 175.10.10.0 0.0.0.31 any

access-list 130 deny   ip 175.10.10.0 0.0.0.31 192.168.2.0 0.0.0.255

99
Views
0
Helpful
2
Replies
CreatePlease to create content