03-09-2007 01:41 AM - edited 03-03-2019 04:06 PM
Hi to all...
I've done a site to site vpn, but i have some strange problems.
On one side (main office) i have a windows server router that act as
default gateway for the clients, on this i have placed a route to the
local cisco vpn gateway, with network destination the network of the
brach office, and gateway the local cisco.
On the other side (branch office) the cisco is the default gateway for
internet and vpn.
The vpn tunnel is up, the clients of the branch office pings the
clients on the main office, and also the windows server. And vice
versa. But clients on both sites can connect the router on the other side.
But a traceroute show a missing hop, and services like terminal server
doesn't work, they establish the connetcion, but the screen remain
void.
Also the 2 cisco routers doesn't ping each other, and the router on
the main office doesn't ping nothing on the other side, and vice
versa...
How to throublesoot this?
Thanks to all...
03-09-2007 07:01 AM
Can you post the config of two routers?
03-09-2007 07:22 AM
Branch office...
CUT...
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
CUT...
!
no aaa new-model
!
resource policy
!
clock timezone xxx 1
clock summer-time xxx date Mar 30 2003 2:00 Oct 26 2003 3:00
clock calendar-valid
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Magazzino
import all
network 192.168.201.0 255.255.255.0
dns-server 192.168.201.200
netbios-name-server 192.168.200.1
default-router 192.168.201.220
!
CUT...
!
ip tcp synwait-time 10
no ip bootp server
ip domain name ruscallarenato.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip name-server 192.168.200.1
ip ssh time-out 60
ip ssh authentication-retries 2
CUT...
!
!
CUT...
username xxx privilege 15 secret 5 xxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address yy.yy.yy.yy
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to yy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA
match address 100
!
bridge irb
!
!
!
interface FastEthernet0
CUT...
shutdown
CUT..
!
interface BRI0
CUT...
shutdown
!
interface Dot11Radio0
CUT...
!
interface Dot11Radio1
CUT...
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
ip address xx.xx.xx.xx 255.255.255.224
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.201.200 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0
0.0.0.255
access-list 101 MAXICUT...
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.201.0 0.0.0.255 192.168.200.0
0.0.0.255
access-list 105 permit ip 192.168.201.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
CUT...
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180045
ntp master
ntp update-calendar
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
03-09-2007 07:28 AM
Main office...
CUT...
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
CUT...
!
no aaa new-model
!
resource policy
!
clock timezone xxx 1
clock summer-time xxx date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name ruscallarenato.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip ssh time-out 60
ip ssh authentication-retries 2
!
CUT...
!
!
CUT...
username xxx privilege 15 secret 5 xxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address yy.yy.yy.yy
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to yy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA
match address 100
!
bridge irb
!
!
!
interface FastEthernet0
description Interna$ETH-LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
bridge-group 2
!
interface BRI0
CUT...
shutdown
!
CUT...
!
interface Dot11Radio0
CUT...
!
interface Dot11Radio1
CUT...
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ADSL PPP
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface Vlan1
description Interna$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description Lan Esterna$FW_OUTSIDE$$ES_LAN$
ip address 10.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI2
description Lan interna$FW_INSIDE$$ES_LAN$
ip address 192.168.200.200 255.255.255.0
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source static udp 10.0.0.10 4672 interface ATM0.1 4672
ip nat inside source static tcp 10.0.0.10 4662 interface ATM0.1 4662
ip nat inside source static tcp 10.0.0.1 3389 interface ATM0.1 3389
!
logging trap debugging
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 101 MAXICUT...
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
CUT...
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180070
ntp update-calendar
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
03-09-2007 07:29 AM
Really thanks for the help!!!
03-12-2007 12:54 AM
Noone can help me?
03-12-2007 05:01 AM
was mtu size missing...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: