Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC VPN not able to ping end point ip's

Hi,

I have Cisco 881 router which, I configure as IPSEC VPN router and my problem is i cannot route from the IP after Host Tunnel Gateway please help details below of my configuration.

Building configuration...

Current configuration : 3206 bytes
!
! Last configuration change at 05:53:23 UTC Thu Jul 30 2015
! NVRAM config last updated at 05:49:02 UTC Thu Jul 30 2015
!
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname PLDT_iGATE
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
no logging console
enable secret 5 $1$t567$n1hGZj5Vp5OLXYNYo2Qfi0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local none
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.201.3.1 10.201.3.10
ip dhcp excluded-address 10.201.3.253
ip dhcp excluded-address 10.201.3.254
!
ip dhcp pool network30dhcp
   network 10.201.3.0 255.255.255.0
   dns-server 4.2.2.2 8.8.8.8
   default-router 10.201.3.5
   lease 5
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL1542227S
!
!
username admin privilege 15 secret 5 $1$j09z$CnaFr4zLRQM4uY.FNbkpu0
!
!
!
policy-map SHAPE-20
 class class-default
    shape average 9500000 95000 0
!
!
crypto logging session
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key owteltest address 118.140.111.xx
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap local-address FastEthernet4
crypto map mymap 100 ipsec-isakmp
 description VPN between PH Office HGC and Client Office
 set peer 118.140.111.xx
 set transform-set myset
 match address 100
!
!
!
!
!
interface FastEthernet0
 description " Connected to Private Lan "
 switchport access vlan 30
 speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 210.213.64.xx 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mymap
!
interface Vlan1
 ip address 10.201.3.5 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 shutdown
!
interface Vlan20
 ip address 10.0.2.5 255.255.255.0
!
interface Vlan30
 ip address 10.201.3.5 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 load-interval 30
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 210.213.64.217
ip route 0.0.0.0 0.0.0.0 118.140.111.94
ip route 10.1.0.0 255.255.0.0 210.213.64.217
ip route 10.201.3.0 255.255.255.0 118.140.111.xx name Firewall
!
ip access-list extended VPN
!
access-list 1 permit 10.201.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 120 permit ip 10.201.3.0 0.0.0.255 any
access-list 120 permit ip 10.1.1.0 0.0.0.255 10.201.3.0 0.0.0.255
access-list 135 deny   ip 10.1.1.0 0.0.0.255 10.201.3.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login authentication owtel123
!
scheduler max-task-time 5000
end

 

Thanks,

 

Dennis

6 REPLIES

The IPSec configuration looks

The IPSec configuration looks ok, but it's not clear to me what the encryption domain is. That's your definition in ACL 100. Which pairs of networks do you want to protect with IPSec? The destination network should be reachable over FastEthernet4, so the traffic destined to it will be encrypted.

Please also check if you have a route to 118.140.111.94 in your routing table.

New Member

It's working now thanks for

It's working now thanks for all your help

New Member

Dear Dennis, How did u  solve

Dear Dennis,

 

How did u  solve this issue and what was the problem.

New Member

Thanks to trfinkenstadt all

Thanks to trfinkenstadt all the info regarding NAT and ACL was resolve my issue I do follow what he write.

 

Thanks,

 

Dennis

New Member

I think you have problem with

I think you have problem with NAT because all your traffic intrusion in NAT. You must create two ACL 

and deny NAT traffic to in VPN trafic. 

New Member

You have a few issues.  One

You have a few issues.  One is your static routes:

ip route 0.0.0.0 0.0.0.0 210.213.64.217
ip route 0.0.0.0 0.0.0.0 118.140.111.94
ip route 10.1.0.0 255.255.0.0 210.213.64.217
ip route 10.201.3.0 255.255.255.0 118.140.111.xx name Firewall

 

118.140.111.xx addresses appear to be on the farside of the ipsec tunnel.  You probably want to remove the static default route.  Also, the last route for 10.201.3.0/24 matches your vlan 30 connected subnet.  It looks like it is supposed to be on the other router given the IP address ranges provided elsewhere.  

 

access-list 100 permit ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 

Your ACL 100 looks a little strange.  I think you need to revisit this and figure out what subnets are on either side of your IPSEC tunnel and fix these.  I imagine it should look something like this:

access-list 100 permit ip 10.201.3.0 0.0.0.255 10.1.0.0 0.0.255.255

 

Finally, you may need to address your NAT setup.  Change it from using a standard ACL to an extended.  Something like the following:

ip access-list extended NAT-2-INTERNET

 deny 10.201.3.0 0.0.0.255 10.1.0.0 0.0.255.255

 permit 10.201.3.0 0.0.0.255 any

 

I guessed at the subnet in the other office from other parts of your provided configuration.

 

 

HTH,

 

tim

 

257
Views
0
Helpful
6
Replies