Advertisement

01.21.2004 at 01:37PM PST, ID: 20858361
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.6

Cisco 1720s, VPN doesn't work anymore after setting up NAT pool and CEF

Asked by nwru in Network Routers

Tags: , , ,

First, I apologize for the long question post.  I want to make sure I include all relevant info.

I have a Cisco 1720 here at HQ, running IOS 12.1(21), and has two T1s on Serial0 and Serial1 and inside network on FastEthernet0.  NAT is set up between FastEthernet0 and Serial0 for Internet.  Also have a Cisco 1720 in branch office, also running 12.2(21), has one T1 on Serial0 and inside network on FastEthernet0.  NAT is set up the same way.  VPN between the two offices using crypto commands.  There are no VPN modules in the routers themselves.  The "LAN addresses" I was given here by my ISP to use for the NAT pool are 167.x.x.201-206.

What I desire is to "bond" both T1s here at HQ to achieve a 3 Mbps throughput.  ISP (Lightpath) says to set up CEF.  After some failed attempts, they note that my NAT is set up screwy, and should be in a NAT pool instead.  So I do what I have to set up NAT pool and CEF and actually get the 3 Mbps, but now the VPN doesn't work.  I can't reach the other office through a 192.168.x.x address anymore and nothing that I do can get it back up.  Anyways, here's the relevant info from the configs:

***** HQ Cisco 1720 (Current, non-"bonded" config) *****

crypto isakmp policy 4
 hash md5
 authentication pre-share
 group 2
crypto isakmp key notrealkey address 24.x.x.106
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
 set peer 24.x.x.106
 set transform-set trans1
 match address 106
interface Loopback0
 ip address 192.168.16.1 255.255.255.0
interface Serial0
 ip address 167.x.x.230 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect inetout out
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface Serial1
 ip address 167.x.x.242 255.255.255.252
 ip access-group 115 in
 ip inspect inetout out
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip policy route-map nostatic
 speed auto
 half-duplex
 no cdp enable
ip nat inside source static tcp 192.168.10.160 80 interface Serial0 80
ip nat inside source static tcp 192.168.10.150 25 interface Serial0 25
ip nat inside source route-map NAT interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 167.x.x.229
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.20.0 0.0.0.255
access-list 103 permit ip host 192.168.10.151 192.168.20.0 0.0.0.255
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit tcp any any eq 443
access-list 115 permit udp any any eq 443
access-list 115 permit tcp any host 167.x.x.230 eq www
access-list 115 permit tcp any host 167.x.x.230 eq telnet
access-list 115 permit tcp any host 167.x.x.230 eq smtp
access-list 115 permit icmp 192.168.10.0 0.0.0.255 any
access-list 115 permit icmp any any echo-reply
no cdp run
route-map nostatic permit 10
 match ip address 103
 set ip next-hop 192.168.16.2
route-map NAT permit 10
 match ip address 102

***** END HQ Cisco 1720 (Current, non-"bonded" config) *****


Here are the changes that I made to get the 3 Mbps and non-working VPN:

***** HQ Cisco 1720 ("bonded" config) *****

ip cef
crypto isakmp policy 4
 hash md5
 authentication pre-share
 group 2
crypto isakmp key notrealkey address 24.x.x.106
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
 set peer 24.x.x.106
 set transform-set trans1
 match address 106
interface Loopback0
 ip address 192.168.16.1 255.255.255.0
interface Serial0
 ip address 167.x.x.230 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect inetout out
 ip load-sharing per-packet
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface Serial1
 ip address 167.x.x.242 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect inetout out
 ip load-sharing per-packet
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip policy route-map nostatic
 speed auto
 half-duplex
 no cdp enable
ip nat pool natpool1 167.x.x.201 167.x.x.206 netmask 255.255.255.248
ip nat inside source list 1 pool natpool1 overload
ip nat inside source static tcp 192.168.10.160 80 interface Serial0 80
ip nat inside source static tcp 192.168.10.150 25 interface Serial0 25
ip classless
ip route 0.0.0.0 0.0.0.0 167.x.x.229
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.20.0 0.0.0.255
access-list 103 permit ip host 192.168.10.151 192.168.20.0 0.0.0.255
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit tcp any any eq 443
access-list 115 permit udp any any eq 443
access-list 115 permit tcp any host 167.x.x.230 eq www
access-list 115 permit tcp any host 167.x.x.230 eq telnet
access-list 115 permit tcp any host 167.x.x.230 eq smtp
access-list 115 permit icmp 192.168.10.0 0.0.0.255 any
access-list 115 permit icmp any any echo-reply
no cdp run
route-map nostatic permit 10
 match ip address 103
 set ip next-hop 192.168.16.2
route-map NAT permit 10
 match ip address 102

***** END HQ Cisco 1720 ("bonded" config) *****



***** Branch office Cisco 1720 (Current config)*****

crypto isakmp policy 4
 hash md5
 authentication pre-share
 group 2
crypto isakmp key notrealkey address 167.x.x.230
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
 set peer 167.x.x.230
 set transform-set trans1
 match address 106
interface Loopback0
 ip address 192.168.16.1 255.255.255.0
interface FastEthernet0
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
 half-duplex
 no cdp enable
interface Serial0
 ip address 24.x.x.106 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect inetout out
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 crypto map combined
ip nat inside source route-map NAT interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.x.x.105
access-list 102 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit tcp any host 24.x.x.106 eq telnet
access-list 115 permit tcp any any eq 443
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit icmp host any any
access-list 151 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
route-map nostatic permit 10
 match ip address 103
 set ip next-hop 192.168.16.2
route-map NAT permit 10
 match ip address 102

***** END Branch office Cisco 1720 (Current config)*****


For the updated branch office config, I just changed the following lines:
crypto isakmp key notrealkey address 167.x.x.201
 set peer 167.x.x.201

So again, when I change the configs as stated above, the NAT pool seems to work fine, and I get 3 Mbps, but the VPN won't work at all, whether the branch has the changed settings or not.  I've spent a good week googling and reading docs to no avail.  There seems to be a million different ways to go wrong here, so any pointers would be a plus.  If there is any more information desired, let me know.  Thanks in advance.Start Free Trial
 
Keywords: Cisco 1720s, VPN doesn't work …
Title
1 Cisco PIX  VPN and NAT
2 VPN to pix 506e NAT issue
3 IPSec VPN
4 adding 2nd VPN to PIX
5 HELP!!!! PIX 515e as VPN Serv…
6 Cisco IPSec VPN crashing when chan…
 
Loading Advertisement...
 
[+][-]01.21.2004 at 02:13PM PST, ID: 10169288

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01.22.2004 at 12:36PM PST, ID: 10177568

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01.22.2004 at 03:31PM PST, ID: 10179741

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Network Routers
Tags: 1720, cisco, bond, cef
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 2
Solution Grade: A
 
 
[+][-]01.23.2004 at 06:21AM PST, ID: 10183979

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01.23.2004 at 12:13PM PST, ID: 10187363

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01.29.2004 at 02:03PM PST, ID: 10230073

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01.29.2004 at 03:24PM PST, ID: 10230742

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01.30.2004 at 06:51AM PST, ID: 10235492

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-43