02-24-2012 04:29 AM
Hi all,
I am try to setup my office network to able to connect to one of my customer HQ via site to site VPN. I am using Cisco 1841 router to do the job.
The problem that I am facing now is no able to connect my other PC in office to the remote site..
Any help or advice is much appreciated... Thank You.
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.x.x.x 175.x.x.x QM_IDLE 1001 ACTIVE
show crypto ispec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 175.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.240/255.255.255.240/0/0)
current_peer 202.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 175.x.x.x, remote crypto endpt.: 202.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.240/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 202.75.63.200 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 175.143.66.121, remote crypto endpt.: 202.75.63.200
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x9359991(154507665)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x4B57E039(1264050233)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: FPGA:3, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4414774/20607)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9359991(154507665)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:4, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4414774/20607)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Ping test from the router seem ok....
Router#ping ip 10.241.1.163 source 192.168.0.241
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.1.163, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.241
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms
My Route Configuration
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key password address 202.x.x.x
!
!
crypto ipsec transform-set MAS_IPSEC esp-3des esp-sha-hmac
!
crypto map CMAP 2 ipsec-isakmp
set peer 202.x.x.x
set security-association lifetime seconds 28800
set transform-set MAS_IPSEC
set pfs group2
match address 100
!
!
!
!
!
!
interface FastEthernet0/0
description *** Unifi FTTx interface ***
ip address 175.x.x.x 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/0.1
encapsulation dot1Q 500
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description *** LAN interface ***
ip address 192.x.x.x 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 7 login_password
ppp pap sent-username username password 7 login_password
!
ip default-gateway 192.x.x.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
ip http server
no ip http secure-server
!
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
ip access-list extended DSL_ACCESSLIST
permit ip 196.x.x.x 0.0.0.15 any
permit ip 192.168.0.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
!
access-list 100 permit ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.240 0.0.0.15
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPsec rule
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map nonat permit 10
match ip address 110
02-24-2012 11:46 AM
A couple of things I would try:
1) access-list 100 does not need the 10 to 192.168 line:
no access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.240 0.0.0.15
2) Add a specific route to the 10.x network, so remove the 10.x route:
no ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
put in
ip route 10.0.0.0 255.0.0.0 175.143.66.XXX (where XXX is the last octet of your next hop)
3) If that doesn't work, try putting 'ip nat outside' on fastethernet 0/0 and put
access-list 110 deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
Though you really shouldn't need the access-list line given the implicit deny at the bottom of the ACL.
If you are using PPOE/dialer, this may not work, so come back and let us know.
--Jason
02-25-2012 01:16 AM
Hi Jason,
Thanks for the reply.. but without any success.
The Last remark is correct. I am using PPPoE dialer to connect to my internet service provider.
After doing the changes as your advice. The ping from my router to the 10.x netowkr is fail where as my previous configuration I am still able to ping to the 10.x network from the router.
Thank ....
Still have no clue why the tunnel is up but no able to accept traffic from the PC.....
02-25-2012 10:34 AM
hello - try the following change to your nat acl
hth
andy
ip access-list extended DSL_ACCESSLIST
deny ip 196.x.x.x 0.0.0.15 10.0.0.0 0.255.255.255
permit ip 196.x.x.x 0.0.0.15 any
permit ip 192.168.0.0 0.0.0.255 any
02-26-2012 04:53 PM
Hi Andrewswanson,
Thank for the advice. But After did the change you advice. the result is still the same.
02-25-2012 04:36 PM
Hi there
Please recompile your ACL 110 as shown below, yes on ACL 110
deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
You do not need this line one below on ACL 110: access-list 110 permit ip 10.0.0.0 0.255.255.255 any
At last please add a static route on your router as shown below..
ip route 10.0.0.0 255.255.255.0 172.143.66.122
You also need "ip nat outside" on interface.
interface FastEthernet0/0
description *** Unifi FTTx interface ***
ip address 175.x.x.x 255.255.255.252
duplex auto
speed auto
ip nat outside
crypto map CMAP
Please let me know, how that coming along.
Thanks
Rizwan Rafeek.
02-26-2012 05:29 PM
Hi Rizwan,
did the changes that you suggest. But still no success ..
when i try to update the line ip route 10.0.0.0 255.255. 255.0 175.143.66.121... it show it is invalid route. Therefore i have to set back to FE 0/0
Thank
Futher troubleshooting on the problem.. I suspect it is due to the routing issue. where the traffic it not going to the tunnel. Anyone can help me to verify?
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key VPN_Password address 202.75.63.200
!
crypto ipsec transform-set MAS_IPSEC esp-3des esp-sha-hmac
!
crypto map CMAP 2 ipsec-isakmp
set peer 202.75.63.200
set security-association lifetime seconds 28800
set transform-set MAS_IPSEC
set pfs group2
match address IPSEC_MAS
!
interface FastEthernet0/0
description *** Unifi FTTx interface ***
ip address 175.143.66.121 255.255.255.252
ip nat enable
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/0.1
encapsulation dot1Q 500
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description *** LAN interface ***
ip address 192.168.0.241 255.255.255.240
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ISP_Username
ppp chap password ISP_Password
ppp pap sent-username ISP_Username password ISP_Password
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 175.143.66.122
ip http server
no ip http secure-server
!
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
!
ip access-list extended DSL_ACCESSLIST
deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
permit ip 192.168.0.240 0.0.0.15 any
ip access-list extended IPSEC_MAS
permit ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
!
dialer-list 1 protocol ip permit
Help ........ :'(
02-28-2012 09:09 PM
Hi there,
Can you please add "reverse-route" under "CMAP 2"
crypto map CMAP 2 ipsec-isakmp
reverse-route
static route looks good, I see no problem, the tunnel should come up.
ip route 10.0.0.0 255.0.0.0 175.143.66.122
ping ip 10.241.1.163 source 192.168.0.241
and if it does not help.
Please enable debug isakmp and ipsec while sending a ping, please post the debug output.
thanks
Look forward to hear from you.
03-06-2012 08:00 PM
Hi Rizwanr,
Thank for the suggestion. Tested still not working.
03-06-2012 08:09 PM
Please post your current config just as an attachment, please post a debug output as well.
Look foward to hear from you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide