Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN tunnel working one way only

I´ve a cisco 1841 as gateway to internet and trying to establish a VPN site to site tunnel to a remote small office which has a cisco WRV210 on the other end.

Tunnel works OK from the WRV210 to the 1841 network but not working the other way, 1841 config and show version below.

Building configuration...

[OK]

UIS_Buceo#sh runn

Building configuration...

Current configuration : 4046 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname UIS_Buceo

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

ip cef

!

!

no ip dhcp conflict logging

!

!

no ip ftp passive

no ip domain lookup

ip domain name cisco.com

!

!

crypto pki trustpoint TP-self-signed-3303056522

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3303056522

revocation-check none

rsakeypair TP-self-signed-3303056522

!

!

crypto pki certificate chain TP-self-signed-3303056522

certificate self-signed 01

xxx

  quit

username xxx privilege 15 password 7 xxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxx address 201.217.137.106

!

!

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to201.217.137.106

set peer 201.217.137.106

set transform-set VPN

match address 100

!

!

!

!

interface FastEthernet0/0

description $ETH-WAN$

ip address 190.64.68.181 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

ip address 10.66.98.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1/0

!

interface FastEthernet0/1/1

!

interface FastEthernet0/1/2

!

interface FastEthernet0/1/3

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

no ip address

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

!

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.66.98.0 0.0.0.255 10.36.33.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.66.98.0 0.0.0.255 10.36.33.0 0.0.0.255

access-list 101 permit ip 10.66.98.0 0.0.0.255 any

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

control-plane

!

!

line con 0

password 7 xxx

line aux 0

line vty 0 4

exec-timeout 60 0

password 7 xxx

logging synchronous

transport input telnet ssh

line vty 5 807

password 7 xxx

!

scheduler allocate 20000 1000

end

UIS_Buceo#sh version

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Fri 23-Mar-07 16:56 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

UIS_Buceo uptime is 5 days, 1 hour, 7 minutes

System returned to ROM by reload at 18:46:52 UTC Fri Jan 10 2014

System image file is "flash:c1841-advsecurityk9-mz.124-9.T3.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 1841 (revision 6.0) with 176128K/20480K bytes of memory.

Processor board ID xxx

6 FastEthernet interfaces

1 Serial(sync/async) interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62976K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

That´s the config and show version of the router the WRV210 is web managed so no cofig from that side but it´s working from the network attached to wrv210 so don´t think there is a problem there

Thanks in advance for you help.

Someone suggested it has something to do with NAT but there is a deny rule in the nat access list for the tunnel traffic so it shouldnt be a problem there.

Everyone's tags (1)
230
Views
0
Helpful
0
Replies
CreatePlease login to create content