Routers
--
Questions
--
Followers
Top Experts
VPN Tunneling with a Cisco 851 on Verizon DSL
I have a Cisco 851 that I've configured to construct a VPN tunnel back to a PIX 515. The 851 is working on Verizon DSL, I can ping out to the internet from the router, but I can ping inside across the tunnel, and none of the machines plugged into the ports on the 851 can ping to the internet. I'm a novice (translation, I don't know what I'm doing but I fake it really well), but I'm 99% certain that everything is correct on the PIX, all the same I'll copy up any pertinent info asked of me. I'll post a fairly sterilized config off the 851 below, if any guru's can help me out it would be much appreciated!!!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco851
!
boot-start-mar
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.134.1.1 10.134.1.20
!
ip dhcp pool pool1
network 10.134.1.0 255.255.255.0
default-router 10.134.1.1
dns-server 10.2.1.10 10.2.1.20
!
!
ip cef
ip domain name DomainName
ip ssh time-out 45
!
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1234567890
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
quit
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key ********** address 61.123.234.16
!
!
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set level1 esp-des esp-md5-hmac
!
crypto map outside_map 10 ipsec-isakmp
description Tunnel to Core
set peer 61.123.234.16
set transform-set level1
match address 105
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastE
!
interface FastEthernet4
description DSL outside interface$ES_WAN$
ip address 71.123.132.17 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map outside_map
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.134.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto map outside_map
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.123.132.1
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 100 deny icmp 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny icmp 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 100 permit ip 10.105.1.0 0.0.0.255 any
access-list 100 permit icmp 10.105.1.0 0.0.0.255 any
access-list 105 permit ip 10.105.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit ip 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 105 permit icmp 10.105.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit icmp 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179385
ntp server 192.43.244.18
end
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco851
!
boot-start-mar
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.134.1.1 10.134.1.20
!
ip dhcp pool pool1
network 10.134.1.0 255.255.255.0
default-router 10.134.1.1
dns-server 10.2.1.10 10.2.1.20
!
!
ip cef
ip domain name DomainName
ip ssh time-out 45
!
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1234567890
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
quit
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key ********** address 61.123.234.16
!
!
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set level1 esp-des esp-md5-hmac
!
crypto map outside_map 10 ipsec-isakmp
description Tunnel to Core
set peer 61.123.234.16
set transform-set level1
match address 105
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastE
!
interface FastEthernet4
description DSL outside interface$ES_WAN$
ip address 71.123.132.17 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map outside_map
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.134.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto map outside_map
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.123.132.1
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 100 deny icmp 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny icmp 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 100 permit ip 10.105.1.0 0.0.0.255 any
access-list 100 permit icmp 10.105.1.0 0.0.0.255 any
access-list 105 permit ip 10.105.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit ip 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
access-list 105 permit icmp 10.105.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit icmp 10.105.1.0 0.0.0.255 10.130.1.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179385
ntp server 192.43.244.18
end
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I would try using the SDM (Security Device Manager) on the Cisco 851 router to reconstruct the tunnel to the PIX and go from there. See the following link for using the SDM for a site-to-site VPN tunnel:
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080656460.html
Hope this helps...
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080656460.html
Hope this helps...
Hi bhobson_2000
You've got your access-list for NAting mixed up.
You've got to deny traffic for which you don't want NAT (VPN traffic) and then allow that for which you do (Internet traffic). Also if you deny/permit for ip, then that includes icmp as well as tcp and udp.
Access list 100 from above should be:
! delete current entries
no access-list 100
! simplify VPN traffic entries
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.255
! this is where you've gone wrong, should be inside addresses
access-list 100 permit ip 10.134.1.0 0.0.0.255 any
You've got your access-list for NAting mixed up.
You've got to deny traffic for which you don't want NAT (VPN traffic) and then allow that for which you do (Internet traffic). Also if you deny/permit for ip, then that includes icmp as well as tcp and udp.
Access list 100 from above should be:
! delete current entries
no access-list 100
! simplify VPN traffic entries
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.255
! this is where you've gone wrong, should be inside addresses
access-list 100 permit ip 10.134.1.0 0.0.0.255 any
I've also noticed your VPN ACL is incorrect, have you just copied this from another configuration?
Inside network is 10.134.1.0/24 and I'm again assuming remote VPN networks are 10.2.1.0/24 and 10.130.1.0/24
! delete current entries
no access-list 105
access-list 105 permit ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.25
Inside network is 10.134.1.0/24 and I'm again assuming remote VPN networks are 10.2.1.0/24 and 10.130.1.0/24
! delete current entries
no access-list 105
access-list 105 permit ip 10.134.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 105 permit ip 10.134.1.0 0.0.0.255 10.130.1.0 0.0.0.25
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.