sriwi
asked on
VPN problem
Hi, wondering whether anyone can help me with this small problem.
I have 2 sites, both connected using SHDSL, and i implement a simple tunnel to connect the two sites, this is what the config files:
Site A
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Site-A
!
enable secret 5 xxxx
!
ip subnet-zero
ip name-server xxx
!
!
ip dhcp pool site-A
network 10.0.1.0 255.255.255.0
dns-server 10.0.0.x 255.255.255.0
domain-name x
netbios-name-server x
default-router 10.0.1.1 255.255.255.0
!
ip dhcp pool client
!
!
interface tunnel0
ip address 172.16.0.2 255.255.255.0
no ip route-cache
keepalive 10 1
tunnel source dialer3
tunnel destination xxxxx
tunnel mode ipip
tunnel checksum
!
!
interface Ethernet0
ip address 10.0.1.1 255.255.255.0
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0.3 point-to-point
description Internet Network
no ip directed-broadcast
pvc 1/34
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface Dialer3
description Internet Network
ip address negotiated
ip access-group 101 out
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 3
dialer-group 1
ppp authentication chap callin
ppp chap hostname x
ppp chap password x
!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer3
!
!--- Force Private IP Network into the tunnel
!
ip route 10.0.0.0 255.255.255.0 172.16.0.1
!
ip http server
!
!
snmp-server community BDIRread RO
!
line con 0
exec-timeout 120 0
password 7 xxxxx
login
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxxx
login
!
scheduler max-task-time 5000
!
end
For site-B
This where all the servers reside:
Current configuration : 1623 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Site-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxx
!
no aaa new-model
ip subnet-zero
ip name-server xxxxx
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
no ip route-cache
keepalive 10 1
tunnel source Dialer3
tunnel destination xxxxxx
tunnel mode ipip
tunnel checksum
!
interface Ethernet0
ip address 10.0.0.249 255.255.255.0
ip nat inside
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0.3 point-to-point
description Internet Network
pvc 1/34
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface Dialer3
description Internet Network
ip address negotiated
encapsulation ppp
dialer pool 3
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 10.0.1.0 255.255.255.0 172.16.0.2
ip http server
!
dialer-list 1 protocol ip permit
snmp-server community BDIRread RO
snmp-server enable traps tty
!
line con 0
exec-timeout 120 0
password 7 xxxx
login
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxx
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
The problem is:
I can ping from site B to site A to any IP address without any problems at all, 10.0.1.x all works, but i can only ping certain IP address from Site A to B, such as 10.0.0.249, could not ping 10.0.0.254, 250, 1, 3, 8, 9.
No nat required for those sites, since they got their own internet connection.
It looks like a subnet mask problem to me, but i could not pin point where it is, With the Cisco expert i am sure this would be a simple problem.
Cheers
I have 2 sites, both connected using SHDSL, and i implement a simple tunnel to connect the two sites, this is what the config files:
Site A
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Site-A
!
enable secret 5 xxxx
!
ip subnet-zero
ip name-server xxx
!
!
ip dhcp pool site-A
network 10.0.1.0 255.255.255.0
dns-server 10.0.0.x 255.255.255.0
domain-name x
netbios-name-server x
default-router 10.0.1.1 255.255.255.0
!
ip dhcp pool client
!
!
interface tunnel0
ip address 172.16.0.2 255.255.255.0
no ip route-cache
keepalive 10 1
tunnel source dialer3
tunnel destination xxxxx
tunnel mode ipip
tunnel checksum
!
!
interface Ethernet0
ip address 10.0.1.1 255.255.255.0
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0.3 point-to-point
description Internet Network
no ip directed-broadcast
pvc 1/34
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface Dialer3
description Internet Network
ip address negotiated
ip access-group 101 out
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 3
dialer-group 1
ppp authentication chap callin
ppp chap hostname x
ppp chap password x
!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer3
!
!--- Force Private IP Network into the tunnel
!
ip route 10.0.0.0 255.255.255.0 172.16.0.1
!
ip http server
!
!
snmp-server community BDIRread RO
!
line con 0
exec-timeout 120 0
password 7 xxxxx
login
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxxx
login
!
scheduler max-task-time 5000
!
end
For site-B
This where all the servers reside:
Current configuration : 1623 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Site-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxx
!
no aaa new-model
ip subnet-zero
ip name-server xxxxx
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
no ip route-cache
keepalive 10 1
tunnel source Dialer3
tunnel destination xxxxxx
tunnel mode ipip
tunnel checksum
!
interface Ethernet0
ip address 10.0.0.249 255.255.255.0
ip nat inside
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0.3 point-to-point
description Internet Network
pvc 1/34
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface Dialer3
description Internet Network
ip address negotiated
encapsulation ppp
dialer pool 3
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 10.0.1.0 255.255.255.0 172.16.0.2
ip http server
!
dialer-list 1 protocol ip permit
snmp-server community BDIRread RO
snmp-server enable traps tty
!
line con 0
exec-timeout 120 0
password 7 xxxx
login
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxx
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
The problem is:
I can ping from site B to site A to any IP address without any problems at all, 10.0.1.x all works, but i can only ping certain IP address from Site A to B, such as 10.0.0.249, could not ping 10.0.0.254, 250, 1, 3, 8, 9.
No nat required for those sites, since they got their own internet connection.
It looks like a subnet mask problem to me, but i could not pin point where it is, With the Cisco expert i am sure this would be a simple problem.
Cheers
ASKER
ops, sory, i did not see that before, i try to change it to 255.255.255.252 on both subnet before, just to see if there is any difference in the subnet masking.
SiteA:
interface tunnel0
ip address 172.16.0.2 255.255.255.0 <== should be the same on both ends of the tunnel
SiteA:
interface tunnel0
ip address 172.16.0.2 255.255.255.0 <== should be the same on both ends of the tunnel
Site B:
interface Tunnel0
ip address 172.16.0.1 255.255.255.250 <== this is what site B should be, and as i said, before, it could only ping from 10.0.0.x to 10.0.1.x network, but could not ping any other thing from 10.0.1.x to 10.0.0.x, except 10.0.0.249, which is very strange, and looks like a subnet mask problem, but where is the subnet mask config, it all looks ok, i don;t need any internet access at all, since on the main site (site B) we have a separate link for the internet, and we all just use remote access to access internet.
thanks for the comments
Cheers
SiteA:
interface tunnel0
ip address 172.16.0.2 255.255.255.0 <== should be the same on both ends of the tunnel
SiteA:
interface tunnel0
ip address 172.16.0.2 255.255.255.0 <== should be the same on both ends of the tunnel
Site B:
interface Tunnel0
ip address 172.16.0.1 255.255.255.250 <== this is what site B should be, and as i said, before, it could only ping from 10.0.0.x to 10.0.1.x network, but could not ping any other thing from 10.0.1.x to 10.0.0.x, except 10.0.0.249, which is very strange, and looks like a subnet mask problem, but where is the subnet mask config, it all looks ok, i don;t need any internet access at all, since on the main site (site B) we have a separate link for the internet, and we all just use remote access to access internet.
thanks for the comments
Cheers
ASKER
New development, it turns out that the tunnel works (can ping from one router to another router without any problems), so the question that i posted is useless ?
Anyway i still can't ping the network from the site A to site B, i can ping the router ie: 10.0.0.249 from 10.0.1.x network, but i could not ping anything after that, on the 10.0.0.x network i have another same router that is providing a connection to the internet, and i have try to do port forwarding from the router from outside to inside, it doens't work as well, but nat work fine, since i tested it manually.
what could be the issue here ? i know that i pin point the problem to the second router on site B, and i am sure that we can have 2 router providing 2 gateway to the internet on the same subnet range, is this achieable ?
or do i have to use different ip range for different router, and provide a static route between them ?
any thoughts and suggestion ?
Anyway i still can't ping the network from the site A to site B, i can ping the router ie: 10.0.0.249 from 10.0.1.x network, but i could not ping anything after that, on the 10.0.0.x network i have another same router that is providing a connection to the internet, and i have try to do port forwarding from the router from outside to inside, it doens't work as well, but nat work fine, since i tested it manually.
what could be the issue here ? i know that i pin point the problem to the second router on site B, and i am sure that we can have 2 router providing 2 gateway to the internet on the same subnet range, is this achieable ?
or do i have to use different ip range for different router, and provide a static route between them ?
any thoughts and suggestion ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>interface Dialer3
> ip access-group 101 out <== where is your definition of access-list 101?
You must have left out some other configuration items also. I don't see any nat statements. I know you don't have to nat between the two private LAN's across the tunnel, but how are you getting Internet access?
>No nat required for those sites, since they got their own internet connection.
If this is a private connection between two sites with a tunnel, then check the default gateway settings on those systems that you cannot ping.
The only subnet mask mismatch that I can see is on your tunnel interfaces:
SiteA:
interface tunnel0
ip address 172.16.0.2 255.255.255.0 <== should be the same on both ends of the tunnel
Site B:
interface Tunnel0
ip address 172.16.0.1 255.255.255.252<== should be the same on both ends of the tunnel
You could have subnet mask or default gateway issues with those systems that you cannot ping. You would have to check their configs individually.