Solved

Cisco Routing Issue over Point-To-Point T1 - TUNNEL Works fine over Internet Circuits!! HELP!

Posted on 2007-03-30
6
629 Views
Last Modified: 2008-12-06
I have 2 sites.  Site A and Site B.  Each site has an internet T1 and an ipsec tunnel configured.  This configuration works perfectly.  Now I am trying to keep the internet T1 and use it for internet traffic and install a P2P T1 and use it for corporate traffic.  I can get the circuit up and running and ping back and forth without a problem.  As soon as I add a static route on each router to prefer to go over the new P2P T1, I can ICMP from one internet network to the other no problem.  However, on Site A I can RDP to Site B.  But Site B can not RDP to site A.  Now mind you that the only thing I did was change the routing!!  The tunnels work fine if I remove the static route or shutdown the P2P T1 interfaces.  This is a really strange problem!  I think there must be a simple solution.  Here are the configs:

Site A Router:

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SITE A
!
logging rate-limit console 10 except errors
enable secret 5 X
!
username admin privilege 15 password 7 XXXXX
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
!
!
no ip finger
no ip telnet comport enable
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
!
controller T1 1/0
 channel-group 0 timeslots 1-24
 description T1 to PACIS410
!
controller T1 1/1
 channel-group 0 timeslots 1-24
 description T1 to QOV400 (PROBLEM CIRCUIT)
!
controller T1 1/2
!
controller T1 1/3
!
!
interface FastEthernet0/0
 description to local LAN
 ip address 66.x.x.1 255.255.255.224
 duplex full
 speed 100
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0:0
 description PASGV to PACIS410  (NOT HAVING A PROBLEM WITH THIS CIRCUIT)
 bandwidth 1500
 ip address 10.2.1.1 255.255.255.252
 encapsulation ppp
!
interface Serial1/1:0
 description PASGV to QOV400 - (PROBLEM CIRCUIT)
 bandwidth 1500
 ip address 67.x.x.54 255.255.255.252
 encapsulation ppp
 shutdown
!
interface ATM2/0
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/1
 no ip address
 ima-group 1
!
interface ATM2/ima1
 description ATM-IMA TO PBI 4.5Mb
 ip address 64.x.x.x 255.255.255.252 (INTERNET)
 ip access-group 102 in
 no atm ilmi-keepalive
 pvc 2/35
  encapsulation aal5snap
 !
!
interface ATM2/2
 no ip address
 ima-group 1
!
interface ATM2/3
 no ip address
 ima-group 1
!
interface ATM2/4
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/5
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/6
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/7
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.174.126.201
ip route 67.x.x.48 255.255.255.252 67.x.x.53
ip route 216.x.x.6 255.255.255.255 10.2.1.2 (NOT HAVING A PROBLEM)
no ip http server
!
access-list 1 permit 66.x.x.3
access-list 102 deny   tcp any any range 135 139
access-list 102 deny   tcp any any eq 3389
access-list 102 deny   udp any any range 135 netbios-ss
access-list 102 deny   tcp any any eq 445
access-list 102 deny   udp any any eq 1434
access-list 102 deny   tcp any any eq telnet
access-list 102 deny   ip 207.150.160.0 0.0.3.255 any
access-list 102 permit ip any any
snmp-server community X
!
!
gatekeeper
 shutdown
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 access-class 1 in
 password 7 XXXXX
 login local
 transport input telnet
line vty 5 15
 no login
!
end

SITE B

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SITE B
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 51200 warnings
enable secret X
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!        
!        
no ip bootp server
no ip domain lookup
!        
!        
!        
crypto pki trustpoint TP-self-signed-3809913011
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3809913011
 revocation-check none
 rsakeypair TP-self-signed-3809913011
!        
!        
crypto pki certificate chain TP-self-signed-3809913011
 XXXX
  quit
username admin privilege 15 secret 5 XXXXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key X address 216.x.x.132
crypto isakmp key x address 66.x.x.18
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map qov 1 ipsec-isakmp
 set peer 216.x.x.132 (NOT HAVING A PROBLEM)
 set transform-set vpn
 match address 120
crypto map qov 2 ipsec-isakmp
 set peer 66.x.x.18 (TUNNEL OK WHEN GOING THROUGH INTERNET)
 set transform-set vpn
 match address 110
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Outside Interface from Nortel BCM50e s768k$ETH-WAN$$FW_OUTSIDE$
 ip address 67.x.x.50 255.255.255.252 (INTERNET, just trust me)
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 speed 10
 full-duplex
 no mop enabled
 crypto map qov
!
interface FastEthernet0/1
 description Internal Interface to 3COM Switch$ETH-LAN$$FW_INSIDE$
 ip address 10.1.116.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed 100
 full-duplex
 no mop enabled
!
interface Serial0/0/0
 bandwidth 1500
 ip address 67.x.x.53 255.255.255.252 (PROBLEM CIRCUIT)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.x.x.49 name NortelDefaultGateway
ip route 66.x.x.0 255.255.255.224 67.x.x.54
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Internet 67.x.x.50 67.x.x.50 netmask 255.255.255.240
ip nat inside source route-map nonat pool Internet overload
!
logging trap warnings
access-list 1 permit 10.1.116.0 0.0.0.255
access-list 2 permit 66.x.x.3
access-list 2 permit 10.1.116.0 0.0.0.255
access-list 2 permit 172.29.20.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 67.x.x.48 0.0.0.15 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 192.12.19.20
access-list 101 permit udp host 192.12.19.20 eq ntp host 67.x.x.50 eq ntp
access-list 101 permit ahp host 66.x.x.18 host 67.x.x.50
access-list 101 permit esp host 66.x.x.18 host 67.x.x.50
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 172.29.20.0 0.0.3.255 10.1.116.0 0.0.0.255
access-list 101 permit ahp host 216.x.x.132 host 67.x.x.50
access-list 101 permit esp host 216.x.x.132 host 67.x.x.50
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 10.1.100.0 0.0.0.255 10.1.116.0 0.0.0.255
access-list 101 deny   ip 10.1.116.0 0.0.0.255 any
access-list 101 permit icmp any host 67.x.x.50 echo-reply
access-list 101 permit icmp any host 67.x.x.50 time-exceeded
access-list 101 permit icmp any host 67.x.x.50 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 110 permit ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 120 permit ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny   ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny   ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 130 permit ip 10.1.116.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 130
!
!
!
control-plane
!
banner login ^CAuthorized access only.  This system is the property of X. Disconnect IMMEDIATELY as you are not an authorized user!  XXXXXX.^C
!
line con 0
 logging synchronous
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 2 in
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
sntp server 192.12.19.20
end


SITE A has a PIX 525 and like I said the tunnels work fine over the internet so let me know if you need me to post that config!!!!

Help.. this one really has me stumped!!!
0
Comment
Question by:groknit
  • 2
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18931884
This was posted a while ago, is it still an active problem?

You want to ipsec tunnel across the new line?  When you test, did you create a new crypto map (named differently from qov) and tie it to s0/0 on site b?

0
 

Author Comment

by:groknit
ID: 18967873
This is still an existing issue.  The crypto map should still be the same right? The only change is to the router...  I need the preferred traffic to go over the new line.  It does in 1 direction but not the other.
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18968971
when you enabled the ip route, did you add:
!
interface Serial0/0/0
  ip nat inside
!
to the to site "B  router?



0
 

Author Comment

by:groknit
ID: 19062548
No... can I NAT on both interfaces??  I guess maybe I would have to?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now