Re: Cisco 1801 VPN problem - Cisco Community

607

Views

0

Helpful

6

Replies

Hi to all...

I've done a site to site vpn, but i have some strange problems.

On one side (main office) i have a windows server router that act as

default gateway for the clients, on this i have placed a route to the

local cisco vpn gateway, with network destination the network of the

brach office, and gateway the local cisco.

On the other side (branch office) the cisco is the default gateway for

internet and vpn.

The vpn tunnel is up, the clients of the branch office pings the

clients on the main office, and also the windows server. And vice

versa. But clients on both sites can connect the router on the other side.

But a traceroute show a missing hop, and services like terminal server

doesn't work, they establish the connetcion, but the screen remain

void.

Also the 2 cisco routers doesn't ping each other, and the router on

the main office doesn't ping nothing on the other side, and vice

versa...

How to throublesoot this?

Thanks to all...

6 Replies 6

Can you post the config of two routers?

Branch office...

CUT...

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

CUT...

!

no aaa new-model

!

resource policy

!

clock timezone xxx 1

clock summer-time xxx date Mar 30 2003 2:00 Oct 26 2003 3:00

clock calendar-valid

no ip source-route

!

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool Magazzino

import all

network 192.168.201.0 255.255.255.0

dns-server 192.168.201.200

netbios-name-server 192.168.200.1

default-router 192.168.201.220

!

CUT...

!

ip tcp synwait-time 10

no ip bootp server

ip domain name ruscallarenato.it

ip name-server 151.99.125.2

ip name-server 151.99.0.100

ip name-server 192.168.200.1

ip ssh time-out 60

ip ssh authentication-retries 2

CUT...

!

!

CUT...

username xxx privilege 15 secret 5 xxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address yy.yy.yy.yy

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to yy.yy.yy.yy

set peer yy.yy.yy.yy

set transform-set ESP-3DES-SHA

match address 100

!

bridge irb

!

!

!

interface FastEthernet0

CUT...

shutdown

CUT..

!

interface BRI0

CUT...

shutdown

!

interface Dot11Radio0

CUT...

!

interface Dot11Radio1

CUT...

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode itu-dmt

!

interface ATM0.1 point-to-point

ip address xx.xx.xx.xx 255.255.255.224

ip access-group 101 in

ip nat outside

ip virtual-reassembly

no snmp trap link-status

pvc 8/35

encapsulation aal5snap

!

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.201.200 255.255.255.0

ip access-group 110 in

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 ATM0.1

!

ip dns server

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload

!

logging trap debugging

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0

0.0.0.255

access-list 101 MAXICUT...

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark SDM_ACL Category=1

access-list 103 permit ip any any

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny ip 192.168.201.0 0.0.0.255 192.168.200.0

0.0.0.255

access-list 105 permit ip 192.168.201.0 0.0.0.255 any

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

CUT...

!

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17180045

ntp master

ntp update-calendar

ntp server 193.204.114.232 prefer

ntp server 193.204.114.233

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Main office...

CUT...

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

CUT...

!

no aaa new-model

!

resource policy

!

clock timezone xxx 1

clock summer-time xxx date Mar 30 2003 2:00 Oct 26 2003 3:00

no ip source-route

!

!

ip cef

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name ruscallarenato.it

ip name-server 151.99.125.2

ip name-server 151.99.0.100

ip ssh time-out 60

ip ssh authentication-retries 2

!

CUT...

!

!

CUT...

username xxx privilege 15 secret 5 xxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address yy.yy.yy.yy

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to yy.yy.yy.yy

set peer yy.yy.yy.yy

set transform-set ESP-3DES-SHA

match address 100

!

bridge irb

!

!

!

interface FastEthernet0

description Interna$ETH-LAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

bridge-group 2

!

interface BRI0

CUT...

shutdown

!

CUT...

!

interface Dot11Radio0

CUT...

!

interface Dot11Radio1

CUT...

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description ADSL PPP

ip address xx.xx.xx.xx 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly

no snmp trap link-status

pvc 8/35

encapsulation aal5snap

!

crypto map SDM_CMAP_1

!

interface Vlan1

description Interna$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description Lan Esterna$FW_OUTSIDE$$ES_LAN$

ip address 10.0.0.2 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface BVI2

description Lan interna$FW_INSIDE$$ES_LAN$

ip address 192.168.200.200 255.255.255.0

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 ATM0.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload

ip nat inside source static udp 10.0.0.10 4672 interface ATM0.1 4672

ip nat inside source static tcp 10.0.0.10 4662 interface ATM0.1 4662

ip nat inside source static tcp 10.0.0.1 3389 interface ATM0.1 3389

!

logging trap debugging

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255

access-list 101 MAXICUT...

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark SDM_ACL Category=1

access-list 103 permit ip any any

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

CUT...

!

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17180070

ntp update-calendar

ntp server 193.204.114.232 prefer

ntp server 193.204.114.233

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Really thanks for the help!!!

Noone can help me?

was mtu size missing...

Review Cisco Networking products for a $25 gift card