• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 563
  • Last Modified:

Cisco 1720 VPN (t1) to Cisco 1720 VPN (DSL)

Hello people,

I am kind of stuck here... We have to offices that both have cisco1720 routers. I have gone in and configured crypto for the VPN but I cant get the two sites to talk to each other. How can i check what the problem is (as far as logs, etc). Here is the configuration of my routers:

Cisco 1720 (T1)

version 12.2
service telnet-zeroidle
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt1
memory-size iomem 20
clock timezone EST -5
ip subnet-zero
crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key cisco123 address 2.2.2.2
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set svipsec
 match address 186
interface Loopback0
 ip address 1.1.1.1 255.255.255.248
 crypto map svisakmp
interface FastEthernet0
 ip address 192.168.152.20 255.255.255.0
 ip accounting output-packets
 ip nat inside
 ip route-cache policy
 speed auto
 no cdp enable
interface Serial0
 ip address xx.xx.xx.xx 255.255.255.252
 ip accounting output-packets
 ip nat outside
 encapsulation ppp
 no fair-queue
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map svisakmp
ip nat pool svaddr xx.xx.xx.27 xx.xx.xx.30 netmask 255.255.255.248
ip nat inside source list 1 pool svaddr overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 192.168.151.0 255.255.255.0 Loopback0
no ip http server
logging trap debugging
access-list 102 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny   ip 192.168.152.0 0.0.0.255 any
access-list 186 deny   ip 192.168.151.0 0.0.0.255 any
no cdp run
route-map nonat permit 20
 match ip address 102

Cisco 1720 (DSL)

version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt2
logging buffered 4096 debugging
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set svipsec
 match address 186
interface Ethernet0
 ip address 2.2.2.2 255.255.255.248
 ip nat outside
 half-duplex
 no cdp enable
 crypto map svisakmp
!
interface FastEthernet0
 ip address 192.168.151.101 255.255.255.0 secondary
 ip address 192.168.151.1 255.255.255.0
 ip accounting output-packets
 ip nat inside
 ip route-cache policy
 speed auto
 priority-group 1
 no cdp enable
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
no ip http server
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny   ip 192.168.152.0 0.0.0.255 any
access-list 186 deny   ip 192.168.151.0 0.0.0.255 any
no cdp run

Thank you guys in advance for your help!!
0
teepee2
Asked:
teepee2
1 Solution
 
jajjonesCommented:
Why have you applied the crypto map to loopback0 on the T1 router ????????  That is the first pass..........

there are various debug commands..........

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/dt_vpn17.htm#1037269
0
 
teepee2Author Commented:
What interface should the crypto map be on?
I have seen another configuration in the past that has worked, that is why i followed that model
0
 
jajjonesCommented:
OK, the way I would do it is to apply the crypto maps on the WAN side of thigs at either end........your loopbacks dont handle any data as such................
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
magicommincCommented:
--on Cisco 1720 (T1):
1) remove:
ip nat inside source list 1 pool svaddr overload
2) change access-list 186 to below (one line only):
no access-list 186
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
3) change access-list 102 to below:
no access-list 102
access-list 102 deny ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 102 permit ip 192.168.152.0 0.0.0.255 any
4) add:
ip nat inside source route-map nonat pool svaddr interface serial0 overload
--on Cisco 1720 (DSL):
1) remove:
ip nat inside source list 1 interface Ethernet0 overload
2) change access-list 186 to below (one line only):
no access-list 186
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
3) add following:
access-list 102 deny ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 102 permit ip 192.168.151.0 0.0.0.255 any
ip nat inside source route-map nonat interface ethernet0 overload
route-map nonat permit 20
 match ip address 102
Note: "route-map nonat" really means "NAT" everything to Internet.
0
 
sohaibfaruqCommented:
i think you should route the remote network via the T1 interface and not via loopback on the first router.....

also add a route for the 192.168.152.0 towards the next hop at ethernet0 of the 1720 with DSL.

that should work.
0
 
teepee2Author Commented:
I went through and redid the config on both routers and finally got it to work
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now