Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
0
Helpful
3
Replies

VPN not working between Two Router

sjenkinsLNS
Level 1
Level 1

‎09-16-2014 02:25 PM - edited ‎03-04-2019 11:46 PM

Another tech and myself have been trying for several days to get a VPN working between our homes and our shop. We are both fairly new to VPN(ing) on Cisco and are unsure what we are forgetting to configure. The following is my config from my home router, which mirrors the config for the shop, except with a dialer interface for my ATM DSL module (and with the appropriate IP's swapped). Any help would be greatly appreciated.

 

Current configuration : 2411 bytes
!
! Last configuration change at 21:12:34 UTC Tue Sep 16 2014 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2811
!
boot-start-marker
boot system flash c2800avdsecurity.bin
boot system flash c2800nm-advipservicesk9-mz.151-3.T4.bin
boot-end-marker
!
!
enable password 404-NoPasswordFound
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn BL4NK
username admin privilege 15 secret 5 404-NoPasswordFound
!
redundancy
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key secret-key address [PeerExternal-IP]
!
!
crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac
!
crypto map CryptoMap 1 ipsec-isakmp
 set peer [PeerExternal-IP]
 set transform-set VPNSet
 match address 101
!
!
!
!
!
bba-group pppoe global
!
!
interface FastEthernet0/0
 ip address 10.40.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/1/0
 mtu 1492
 no ip address
 ip tcp adjust-mss 1452
 no atm ilmi-keepalive
 hold-queue 224 in
!
interface ATM0/1/0.1 point-to-point
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Serial0/2/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username username@isp.net password 0 404-NoPasswordFound
 crypto map CryptoMap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
access-list 1 permit 10.40.0.0 0.0.0.255
access-list 101 permit ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0
 login local
 transport input telnet ssh
line vty 1 4
 password 404-NoPasswordFound
 login local
 transport input telnet ssh
line vty 5
 password 404-NoPasswordFound
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
3 Replies 3

David Johan Castro Fernandez
Level 3
Level 3

‎10-21-2014 11:26 AM

hello,

 

I just see the configuration, and I noticed that you are missing a NAT 0 statement on the router. 

To accomplish on sending traffic across and receive it from this router perspective you will need to do the following:

 

access-list 111 deny   ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 111 permit ip 10.40.0.0 0.0.0.255 any 

 

route-map nonat permit 11 
  match ip address 111 

 

ip nat inside source route-map nonat interface Dialer0 overload

 

With these you are avoiding the router to translate the inside hosts when going to --> 10.14.0.0  /16.

 

Also make sure the other side of the tunnel meet with these, so you won't run into conflicts.

 

Let me know how it works out.

 

Please don't forget to rate.

 

Best Regards,

 

David Castro,

0 Helpful

John Blakley
VIP Alumni
VIP Alumni

‎10-22-2014 11:19 AM

Much like what David said, you shouldn't nat over the tunnel. On both ends, you'll want to deny natting but it can also be done without a route-map:

access-list 111 deny   ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 111 permit ip 10.40.0.0 0.0.0.255 any 

ip nat inside source list 111 interface dialer0 overload

 

The other side would have:

 

access-list 111 deny   ip 10.14.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 111 permit ip 10.14.0.0 0.0.0.255 any 

 

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

houtan haddadlarijani
Level 1
Level 1

‎10-22-2014 03:26 PM

Hi,

 

It looks you forgot to define crypto map local-address, I think the solution is:

 

(config)#crypto map CryptoMap 1 local-address Dialer0

 

HTH 

 

Houtan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card