• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

Cisco 1720 VPN (t1) to Cisco 1720 VPN (DSL)

Hello people,

I am kind of stuck here... We have to offices that both have cisco1720 routers. I have gone in and configured crypto for the VPN but I cant get the two sites to talk to each other. How can i check what the problem is (as far as logs, etc). Here is the configuration of my routers:

Cisco 1720 (T1)

version 12.2
service telnet-zeroidle
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt1
memory-size iomem 20
clock timezone EST -5
ip subnet-zero
crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key cisco123 address 2.2.2.2
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set svipsec
 match address 186
interface Loopback0
 ip address 1.1.1.1 255.255.255.248
 crypto map svisakmp
interface FastEthernet0
 ip address 192.168.152.20 255.255.255.0
 ip accounting output-packets
 ip nat inside
 ip route-cache policy
 speed auto
 no cdp enable
interface Serial0
 ip address xx.xx.xx.xx 255.255.255.252
 ip accounting output-packets
 ip nat outside
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map svisakmp
ip nat pool svaddr xx.xx.xx.27 xx.xx.xx.30 netmask 255.255.255.248
ip nat inside source list 1 pool svaddr overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 192.168.151.0 255.255.255.0 Loopback0
no ip http server
logging trap debugging
access-list 102 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny   ip 192.168.152.0 0.0.0.255 any
access-list 186 deny   ip 192.168.151.0 0.0.0.255 any
no cdp run
route-map nonat permit 20
 match ip address 102

Cisco 1720 (DSL)

version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt2
logging buffered 4096 debugging
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set svipsec
 match address 186
interface Ethernet0
 ip address 2.2.2.2 255.255.255.248
 ip nat outside
 half-duplex
 no cdp enable
 crypto map svisakmp
!
interface FastEthernet0
 ip address 192.168.151.101 255.255.255.0 secondary
 ip address 192.168.151.1 255.255.255.0
 ip accounting output-packets
 ip nat inside
 ip route-cache policy
 speed auto
 priority-group 1
 no cdp enable
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
no ip http server
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny   ip 192.168.152.0 0.0.0.255 any
access-list 186 deny   ip 192.168.151.0 0.0.0.255 any
no cdp run

Thank you guys in advance for your help!!
0
teepee2
Asked:
teepee2
1 Solution
 
jajjonesCommented:
Why have you applied the crypto map to loopback0 on the T1 router ????????  That is the first pass..........

there are various debug commands..........

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/dt_vpn17.htm#1037269
0
 
teepee2Author Commented:
What interface should the crypto map be on?
I have seen another configuration in the past that has worked, that is why i followed that model
0
 
jajjonesCommented:
OK, the way I would do it is to apply the crypto maps on the WAN side of thigs at either end........your loopbacks dont handle any data as such................
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
magicommincCommented:
--on Cisco 1720 (T1):
1) remove:
ip nat inside source list 1 pool svaddr overload
2) change access-list 186 to below (one line only):
no access-list 186
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
3) change access-list 102 to below:
no access-list 102
access-list 102 deny ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 102 permit ip 192.168.152.0 0.0.0.255 any
4) add:
ip nat inside source route-map nonat pool svaddr interface serial0 overload
--on Cisco 1720 (DSL):
1) remove:
ip nat inside source list 1 interface Ethernet0 overload
2) change access-list 186 to below (one line only):
no access-list 186
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
3) add following:
access-list 102 deny ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 102 permit ip 192.168.151.0 0.0.0.255 any
ip nat inside source route-map nonat interface ethernet0 overload
route-map nonat permit 20
 match ip address 102
Note: "route-map nonat" really means "NAT" everything to Internet.
0
 
sohaibfaruqCommented:
i think you should route the remote network via the T1 interface and not via loopback on the first router.....

also add a route for the 192.168.152.0 towards the next hop at ethernet0 of the 1720 with DSL.

that should work.
0
 
teepee2Author Commented:
I went through and redid the config on both routers and finally got it to work
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now