Solved

Router to router VPN using 3 Cisco 827 4V - 500 points

Posted on 2004-10-12
28
1,482 Views
Last Modified: 2009-07-29
Hello:

I have 3 cisco routers connected to Internet by ADSL and fixed IP and to a LAN and I want to create a Router to router VPN. I've basic knowledge con cisco IOS but I cant make it work.

Office 1 (central office)
192.168.XXX.XXX]-[ROUTER1]-[10.10.10.10]-[WAN]

Office 2 (remote 1)
192.169.XXX.XXX]-[ROUTER2]-[20.20.20.20]-[WAN]

Office 3 (remote 2)
192.170.XXX.XXX]-[ROUTER3]-[30.30.30.30]-[WAN]

(10.10.10.10, 20.20.20.20 and 30.30.30.30 are all public fixed IP addresses and the 192.XXX.0.0 are the inside LAN (the IP of the router is on all ofices 192.XXX.254.254) The XXX changes from one office to another)

Note that the mask (LAN) is 255.255.0.0 (NOT 255.255.255.0) The IPs are for this example (they are not good), the definitive will be others...

We have on all routers the IOS Version 12.2(8)T5 and all are 827 4V

All I want is to be able to ping from every computer on every office to all other computers on other offices as if all the computers where on the same LAN.

As I've readed, the encryption for the VPN may be MD5 or SHA, as I've readed MD5 is faster but provides lower level of security, I prefer to use SHA (if it is the more secure, as I think. If you think I'm wrong, make it with you think is safer)

The routers will need access to internet as now (for the computers in each office to get acces to the internet using their own router (no internet traffic over the VPN link I mean)

The system should be capable to accept more offices when needed.

I suppouse my config files will have a lot of crap so, I'm going to put here the starting configs (only internet conection, nothing on VPN) for office 1 and 2

The accepted answer will be the 3 config files corrected to work in the VPN and if two answers, the cleaner and better commented.

This is very urgent.

Config for Office 1 (central office):
---------------------------------------
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OFICINA1
!
logging rate-limit console 10 except errors
enable secret 5 ************
!
username ********* password 7 *******************
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
call rsvp-sync
!
voice class codec 1
 codec preference 1 g729r8
 codec preference 2 g723r63
 codec preference 3 g711ulaw
!
!
!
interface Ethernet0
 ip address 192.168.254.254 255.255.0.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
 no atm ilmi-keepalive
 pvc 8/32
  protocol ip 10.10.10.2 broadcast
  encapsulation aal5snap
 !
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip http server
ip http access-class 15
!
ip nat inside source list 1 interface ATM0 overload
!
!
ip nat inside source static tcp 192.168.254.254 23 10.10.10.10 23 extendable
ip nat inside source static udp 192.168.254.254 23 10.10.10.10 23 extendable
!
!
ip nat inside source static tcp 192.168.11.2 5631 10.10.10.10 5631 extendable
ip nat inside source static udp 192.168.11.2 5632 10.10.10.10 5632 extendable
!
!
access-list 1 permit any
access-list 2 permit any
!
voice-port 1
 cptone ES
 timeouts interdigit 4
!
voice-port 2
 cptone ES
 timeouts interdigit 4
!
voice-port 3
 cptone ES
 timeouts interdigit 4
!
voice-port 4
 cptone ES
 timeouts interdigit 4
!
dial-peer voice 1 pots
 destination-pattern 2531
 port 1
!
dial-peer voice 2 pots
 destination-pattern 2532
 port 2
!
dial-peer voice 3 pots
 destination-pattern 2533
 port 3
!
dial-peer voice 4 pots
 destination-pattern 2534
 port 4
!
dial-peer voice 2008 voip
 shutdown
 destination-pattern 254
 session target ipv4:81.214.13.22
!
dial-peer voice 5 voip
 destination-pattern 666T
 session target ipv4:81.214.13.22
!
gateway
!
!
line con 0
 exec-timeout 0 0
 login
 transport input none
 stopbits 1
line vty 0 4
 session-timeout 60
 exec-timeout 0 0
 password 7 **************
 login
!
scheduler max-task-time 5000
end






Config for Office 2 (remote office 1):
---------------------------------------
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OFICINA2
!
logging rate-limit console 10 except errors
enable secret 5 ************
!
username ********* password 7 *******************
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
call rsvp-sync
!
voice class codec 1
 codec preference 1 g729r8
 codec preference 2 g723r63
 codec preference 3 g711ulaw
!
!
!
interface Ethernet0
 ip address 192.169.254.254 255.255.0.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 20.20.20.20 255.255.255.0
 ip nat outside
 no atm ilmi-keepalive
 pvc 8/32
  protocol ip 20.20.20.2 broadcast
  encapsulation aal5snap
 !
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 20.20.20.2
ip http server
ip http access-class 15
!
ip nat inside source list 1 interface ATM0 overload
!
!
ip nat inside source static tcp 192.169.254.254 23 20.20.20.20 23 extendable
ip nat inside source static udp 192.169.254.254 23 20.20.20.20 23 extendable
!
!
ip nat inside source static tcp 192.169.11.2 5631 20.20.20.20 5631 extendable
ip nat inside source static udp 192.169.11.2 5632 20.20.20.20 5632 extendable
!
!
access-list 1 permit any
access-list 2 permit any
!
voice-port 1
 cptone ES
 timeouts interdigit 4
!
voice-port 2
 cptone ES
 timeouts interdigit 4
!
voice-port 3
 cptone ES
 timeouts interdigit 4
!
voice-port 4
 cptone ES
 timeouts interdigit 4
!
dial-peer voice 1 pots
 destination-pattern 2531
 port 1
!
dial-peer voice 2 pots
 destination-pattern 2532
 port 2
!
dial-peer voice 3 pots
 destination-pattern 2533
 port 3
!
dial-peer voice 4 pots
 destination-pattern 2534
 port 4
!
dial-peer voice 2008 voip
 shutdown
 destination-pattern 254
 session target ipv4:81.12.113.212
!
dial-peer voice 5 voip
 destination-pattern 666T
 session target ipv4:81.12.113.212
!
gateway
!
!
line con 0
 exec-timeout 0 0
 login
 transport input none
 stopbits 1
line vty 0 4
 session-timeout 60
 exec-timeout 0 0
 password 7 **************
 login
!
scheduler max-task-time 5000
end
0
Comment
Question by:Silvereme
  • 15
  • 9
  • 2
28 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12290474
Reference Document:
Option 1 - create multiple IPSEC tunnels to create hub/spoke topology:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Option 2 - create fully-meshed tunnels between sites:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014f8ab.shtml

Option 3 - (My recommendation) use multipoint GRE w/IPSEC
- Requires upgrade to 12.3(3) or higher
- Allows dynamic routing over GRE tunnels
- Allows QoS over VPN
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
This document puts it all together:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

Questions for you:
- Do you have 3DES/AES feature license on all routers?
- Is upgrade to 12.3(3) an option for you?

The issue between SHA and MD5 - SHA is more secure, but uses more CPU power. You should not see any perceptible performance hit by using SHA. My preference is to use AES-256 + SHA




0
 

Author Comment

by:Silvereme
ID: 12295857
Hello Irmoore:

I think the option 3 would be better (as recomended by you, I dont know the diferences but the network could grow to 12 or 15 offices in a year or two), but I need to start the VPN as soon as possible and buy a license will take 4 or 5 days (do you know if I could buy it online and download it?)

If you know where to buy and download it, the option 3 is preffered, if not, the best of the option 1 or 2 based on your recomendation (take care of the possible grow to 12-15 offices).

Another important point: And I don't know if an IOS upgrade may be done in remote (by telnet or tftp) if not, I prefer not to upgrade (the tree offices are 600km away)

I wait for your news.

Thank you.
0
 

Author Comment

by:Silvereme
ID: 12295885
(and what is your time zone or working hours?) -> to stay in front of the computer at this hours to provide fast replys...

Bye
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12297392
If your network is growing, then option 3 is absolutely your best bet.
Option 2 is not at all recommended in a large, or growing, setup.
Option 1 is your only choice if you can't upgrade your IOS.

Yes, you can upgrade the IOS via http or tftp accross the WAN/Internet with no problems. I've done it many times.

Yes, you can download the IOS from Cisco if you have a CCO login and active SmartNet maintenance.
You can buy Smartnet, or upgrades, or licenses from http://www.cdw.com

You did not fully answer this question - do you have 3DES? Are you in a country with restricted distribution and can only use DES?

I am in US - Central time zone
0
 

Author Comment

by:Silvereme
ID: 12298837
Irmoore:

I'm not sure wich product should I buy on cdw.com (for download, all I can find have traditional delivery (1 or 2 weeks). If you could give me the correct one I could buy and download today. (or if you prefer I could buy it to you with another "question" and more points. My add is a.guillermo at silvereme com) what you prefer.

And yes, we can use 3Des here (Spain) but how I should check if the router supports it?

Thks
0
 

Author Comment

by:Silvereme
ID: 12298872
Irmoore:

I've found in a local distributor this version: S820CHVK9-12310=      Cisco 820 Ser IOS IP/FW/VOICE PLUS 3DES  

Is it valid?

Thk.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12298900
Yes, this version should work just fine for you.
0
 

Author Comment

by:Silvereme
ID: 12299068
Ok, I'm downloading it now.

When do you think you'll have the config files? (your option: option number 3)

I'm going to start googling to find the way to upload the IOS to the routers... ok?

Thank you :)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12299488
These are mostly just the changes that you have to add to your existing configs....

OFICINA1
!
ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip audit po max-events 100
!
crypto isakmp policy 5
 authentication pre-share
 group 2

crypto isakmp key PriVatEKey address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
interface Loopback1
 ip address 172.68.110.1 255.255.255.0
 ip nat inside
!
interface Tunnel1
 description MULTI-POINT GRE TUNNEL for BRANCHES
 bandwidth 1000
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Ethernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!

!
interface Ethernet0
 ip address 192.168.254.254 255.255.0.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
 no atm ilmi-keepalive
 ip inspect in2out out
 no ip mroute-cache
 pvc 8/32
  protocol ip 10.10.10.2 broadcast
  encapsulation aal5snap
 !
router ospf 1
 log-adjacency-changes
 network 172.16.0.0 0.0.0.255 area 0
 network 172.68.110.0 0.0.0.255 area 0
 redistribute connected

!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip http server
ip http access-class 15
!
no ip nat inside source list 1 interface ATM0 overload
ip nat inside source route-map nonat interface FastEthernet0/0 overload

!
 
access-list 110 deny   ip 192.168.0.0 0.0.255.255 172.68.118.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.169.0.0 0.0.255.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 110
!
end


OFICINA2

!
ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
crypto isakmp policy 5
 authentication pre-share
 group 2

crypto isakmp key PriVatEKey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
interface Loopback1
 ip address 172.68.118.1 255.255.255.0
 ip nat inside

interface Tunnel1
 description HOST DYNAMIC TUNNEL
 bandwidth 1000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 10.10.10.10  <== change as required
 ip nhrp map multicast 10.10.10.10   <== change as required
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
 ip address 192.169.254.254 255.255.0.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 20.20.20.20 255.255.255.0 <== change as required
 ip nat outside
 ip inspect in2out out
 no ip mroute-cache
  no atm ilmi-keepalive
  pvc 8/32
  protocol ip 20.20.20.2 broadcast <== change as required
  encapsulation aal5snap
 !
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.0.0 0.0.0.255 area 0
 network 172.68.118.0 0.0.0.255 area 0
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.2 <== change as required
ip http server
ip http access-class 15
!
no ip nat inside source list 1 interface ATM0 overload
ip nat inside source route-map nonat interface ATM0 overload
access-list 110 deny ip 192.169.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 deny ip 172.68.118.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.169.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 110
!
end


0
 

Author Comment

by:Silvereme
ID: 12299966
could I still use the:

ip nat inside source static tcp 151.106.11.2 5631 91.39.19.60 5631 extendable
ip nat inside source static udp 151.106.11.2 5632 91.39.19.60 5632 extendable

lines?

0
 

Author Comment

by:Silvereme
ID: 12300028
And I supouse that the "PriVatEKey" is the shared password... Is it ok?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12300035
Yes to both questions.
0
 

Author Comment

by:Silvereme
ID: 12300085
I'm upgranding and testing, hold on... :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Silvereme
ID: 12300168
I've deleted the old image and uploaded the new one but I get the following error on boot:

------------------------------
%SYS-3-IMAGE_TOO_BIG: 'flash:c820-k9osv6y6-mz.123-9.bin' is too large for availa
ble memory (160232 bytes).boot of "c820-k9osv6y6-mz.123-9.bin" using boot helper
 "flash:c820-k9osv6y6-mz.123-9.bin" failed
error returned: File read failed -- Not enough space
loadprog: error - on file open
boot: cannot load "c820-k9osv6y6-mz.123-9.bin"ú
------------------------------

My system have 32768 Kbytes of memory

Do you know whats the problem?
0
 

Author Comment

by:Silvereme
ID: 12300190
Strange, It restarted againg and boot ok...

???

Ok, i'm going to put your config file and continue testing...
0
 

Author Comment

by:Silvereme
ID: 12300472
I'm getting the following errors when boot, but it seems to boot Ok


ip audit po max-events 100
    ^
% Invalid input detected at '^' marker.

 ip nhrp authentication dmvpn
     ^
% Invalid input detected at '^' marker.

 ip nhrp map multicast dynamic
     ^
% Invalid input detected at '^' marker.

 ip nhrp network-id 99
     ^
% Invalid input detected at '^' marker.

 ip nhrp holdtime 300
     ^
% Invalid input detected at '^' marker.

 ip ospf network broadcast
    ^
% Invalid input detected at '^' marker.

router ospf 1
        ^
% Invalid input detected at '^' marker.

 log-adjacency-changes
    ^
% Invalid input detected at '^' marker.

 network 172.16.0.0 0.0.0.255 area 0
    ^
% Invalid input detected at '^' marker.

 network 172.68.110.0 0.0.0.255 area 0
    ^
% Invalid input detected at '^' marker.

 redistribute connected
   ^
% Invalid input detected at '^' marker.

%Dynamic mapping not found
ip nat inside source route-map nonat interface FastEthernet0/0 overload
                                               ^
% Invalid input detected at '^' marker.
ê
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12300641
These errors mean your IOS command set does not support these commands.  Either choose a version of IOS that does, or remove these commands.
I didn't think an 827 supported OSPF anyways ?
0
 

Author Comment

by:Silvereme
ID: 12301315
ok, but: are they nedeed for the VPN?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12301429
OSPF is not required for the VPN...
Looks to me like you don't have enough DRAM memory in the router to run this IOS...

>%SYS-3-IMAGE_TOO_BIG: 'flash:c820-k9osv6y6-mz.123-9.bin' is too large for availa
ble memory (160232 bytes).boot of "c820-k9osv6y6-mz.123-9.bin" using boot helper
 "flash:c820-k9osv6y6-mz.123-9.bin" failed
error returned: File read failed -- Not enough space
>
0
 

Author Comment

by:Silvereme
ID: 12301734
Various problems:

Now from the OFFICE1 router, I can ping a server on the internet (194.224.52.36):

adsloficina#ping 194.224.52.36

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 194.224.52.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/57/60 ms
adsloficina#

But I can't ping the OFFICE2 router or computers:
adsloficina#ping 151.109.254.253

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 151.109.254.253, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
adsloficina#

And I can't get the Internet from the OFFICE1 network:

C:\Documents and Settings\agm>ping 194.224.52.36

Haciendo ping a 194.224.52.36 con 32 bytes de datos:

Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 194.224.52.36:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),

(with the old config I can do it)

Aditional info:

adsloficina#tracer 151.109.11.2

Type escape sequence to abort.
Tracing the route to nothing.sbcdns.com (151.109.11.2)

  1 10.5.26.1 48 msec 52 msec 52 msec
  2 80.58.18.20 40 msec 48 msec 48 msec
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *
 12  *  *  *
 13  *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  !H  *
adsloficina#show crypto isakmp sa
dst             src             state          conn-id slot

adsloficina#show crypto ipsec sa

adsloficina#show crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  De
crypt


then:

- The VPN seems to be not working
- I can't get acces to the internet from the LAN

The configs are (with the good IPs except external ones that are slight modified):
---------------------------------------
OFFICE1:
!
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname adsloficina
!
logging rate-limit console 10 except errors
enable secret *********
!
username ********* password **********

ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip audit po max-events 100
!
crypto isakmp policy 5
 authentication pre-share
 group 2

crypto isakmp key PriVatEKey address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
interface Loopback1
 ip address 172.68.110.1 255.255.255.0
 ip nat inside
!
interface Tunnel1
 description MULTI-POINT GRE TUNNEL for BRANCHES
 bandwidth 1000
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Ethernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!

!
interface Ethernet0
 ip address 10.0.0.253 255.255.255.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 223.197.96.204 255.255.255.240
 ip nat outside
 no atm ilmi-keepalive
 ip inspect in2out out
 no ip mroute-cache
 pvc 8/32
  protocol ip 223.197.96.194 broadcast
  encapsulation aal5snap
 !
router ospf 1
 log-adjacency-changes
 network 172.16.0.0 0.0.0.255 area 0
 network 172.68.110.0 0.0.0.255 area 0
 redistribute connected

!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 223.197.96.194
ip http server
ip http access-class 15
!
no ip nat inside source list 1 interface ATM0 overload
ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip nat inside source static tcp 10.0.0.253 23 223.197.96.204 23 extendable
ip nat inside source static udp 10.0.0.253 23 223.197.96.204 23 extendable

!
 
access-list 110 deny   ip 10.0.0.0 0.0.0.255 172.68.118.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.0.255 151.109.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110
!

!
voice-port 1
 cptone ES
 timeouts interdigit 4
!
voice-port 2
 cptone ES
 timeouts interdigit 4
!
voice-port 3
 cptone ES
 timeouts interdigit 4
!
voice-port 4
 cptone ES
 timeouts interdigit 4
!
dial-peer voice 1 pots
 destination-pattern 2531
 port 1
!
dial-peer voice 2 pots
 destination-pattern 2532
 port 2
!
dial-peer voice 3 pots
 destination-pattern 2533
 port 3
!
dial-peer voice 4 pots
 destination-pattern 2534
 port 4
!
dial-peer voice 2008 voip
 shutdown
 destination-pattern 254
 session target ipv4:********
!
dial-peer voice 5 voip
 destination-pattern 666T
 session target ipv4:***********
!
gateway
!
!
line con 0
 exec-timeout 0 0
 login
 transport input none
 stopbits 1
line vty 0 4
 session-timeout 60
 exec-timeout 0 0
 password ***********
 login
!
scheduler max-task-time 5000
end






OFFICE2:
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname adslvigo1
!
logging rate-limit console 10 except errors
enable secret 5 ***********
!
username silvereme password 7 **********
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
call rsvp-sync
!
voice class codec 1
 codec preference 1 g729r8
 codec preference 2 g723r63
 codec preference 3 g711ulaw
!
ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
crypto isakmp policy 5
 authentication pre-share
 group 2

crypto isakmp key PriVatEKey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
interface Loopback1
 ip address 172.68.118.1 255.255.255.0
 ip nat inside

interface Tunnel1
 description HOST DYNAMIC TUNNEL
 bandwidth 1000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 223.197.96.204  
 ip nhrp map multicast 223.197.96.204  
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
 ip address 151.109.254.253 255.255.0.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 ip address 81.31.35.170 255.255.255.0
 ip nat outside
 ip inspect in2out out
 no ip mroute-cache
  no atm ilmi-keepalive
  pvc 8/32
  protocol ip 81.31.35.2 broadcast
  encapsulation aal5snap
 !
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.0.0 0.0.0.255 area 0
 network 172.68.118.0 0.0.0.255 area 0
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 81.31.35.2
ip http server
ip http access-class 15
!

no ip nat inside source list 1 interface ATM0 overload
ip nat inside source route-map nonat interface ATM0 overload

access-list 110 deny ip 151.109.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 110 deny ip 172.68.118.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 permit ip 151.109.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 110
!

ip nat inside source static tcp 151.109.254.253 23 81.31.35.170 23 extendable
ip nat inside source static udp 151.109.254.253 23 81.31.35.170 23 extendable
!
!
ip nat inside source static tcp 151.109.11.2 5631 81.31.35.170 5631 extendable
ip nat inside source static udp 151.109.11.2 5632 81.31.35.170 5632 extendable
!
!
!
voice-port 1
 cptone ES
 timeouts interdigit 4
!
voice-port 2
 cptone ES
 timeouts interdigit 4
!
voice-port 3
 cptone ES
 timeouts interdigit 4
!
voice-port 4
 cptone ES
 timeouts interdigit 4
!
dial-peer voice 1 pots
 destination-pattern 2531
 port 1
!
dial-peer voice 2 pots
 destination-pattern 2532
 port 2
!
dial-peer voice 3 pots
 destination-pattern 2533
 port 3
!
dial-peer voice 4 pots
 destination-pattern 2534
 port 4
!
dial-peer voice 2008 voip
 shutdown
 destination-pattern 254
 session target ipv4:*****
!
dial-peer voice 5 voip
 destination-pattern 666T
 session target ipv4:**********
!
gateway
!
!
line con 0
 exec-timeout 0 0
 login
 transport input none
 stopbits 1
line vty 0 4
 session-timeout 60
 exec-timeout 0 0
 password 7 **************
 login
!
scheduler max-task-time 5000
end

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12301950
These are not posts of the *actual* running config or this would not show up:
   >version 12.1
   >no ip nat inside source list 1 interface ATM0 overload

Can you post result of "show ip route"
Are you learning anything by OSPF?

Can you post result of "show interface tunnel1"

For verification:
* show crypto isakmp sa - Displays the state for the ISAKMP security association (SA).

* show crypto engine connections active - Displays the total encrypts/decrypts per SA.

* show crypto ipsec sa - Displays the statistics on the active tunnels.

* show ip route - Displays the routing table.

* show ip ospf neighbor - Displays OSPF neighbor information on a per-interface basis.

* show ip nhrp - Displays the IP Next Hop Resolution Protocol (NHRP) cache, optionally limited to dynamic or static cache entries for a specific interface.




0
 

Author Comment

by:Silvereme
ID: 12305798
Irmoore:

I've removed both lines ( version and no ip nat) from the config and restarted.

> The result of "show ip route" is:
adsloficina#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 213.97.96.194 to network 0.0.0.0

     172.68.0.0/24 is subnetted, 1 subnets
C       172.68.110.0 is directly connected, Loopback1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, Tunnel1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
     213.97.96.0/28 is subnetted, 1 subnets
C       213.97.96.192 is directly connected, ATM0
S*   0.0.0.0/0 [1/0] via 213.97.96.194
adsloficina#

>I have no idea of that OSPF is

> The result of "show interface tunnel1" is:
adsloficina#show interface tunnel1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Description: MULTI-POINT GRE TUNNEL for BRANCHES
  Internet address is 172.16.0.1/24
  MTU 1514 bytes, BW 1000 Kbit, DLY 10000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 10.0.0.253 (Ethernet0), destination UNKNOWN
  Tunnel protocol/transport multi-GRE/IP, key 0x186A0, sequencing disabled
  Checksumming of packets disabled,  fast tunneling enabled
  Tunnel protection via IPSec (profile "dmvpnprof")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

The other commands give no information (empty table) except:
- show ip ospf neighbor that gives me:
adsloficina#show ip ospf neighbor
                    ^
% Invalid input detected at '^' marker.

- show ip nhrp that gives me:
adsloficina#show ip nhrp
                     ^
% Invalid input detected at '^' marker.

I've have corrected the line:
ip nat inside source route-map nonat interface FastEthernet0/0 overload
with:
ip nat inside source route-map nonat interface Ethernet0/0 overload

I wait for your news...

Thank you!


0
 

Author Comment

by:Silvereme
ID: 12317448
Any news???
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12318448
I'm not convinced your IOS supports OSPF, so using GRE w/IPSEC is not really going to give you much advantage.
Try the plain IPSEC route instead -

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12318616
Or you can just use EIGRP over the GRE instead of OSPF

Instead of this at each site,

    router ospf 1
     log-adjacency-changes
     redistribute connected
     network 172.16.0.0 0.0.0.255 area 0
     network 172.68.118.0 0.0.0.255 area 0
!

Use this:
    router eigrp 101
    network 172.16.0.0  <== Just the Tunnel interface subnet
    redistribute connected
      no auto-summary
!

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13737574
Do you need any more assistance or information?
Can you close out this long-forgotten question?
Here's how:
http://www.experts-exchange.com/help.jsp#hs5

Thanks!
<8-}
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now