Solved

Cisco Routing Issue over Point-To-Point T1 - TUNNEL Works fine over Internet Circuits!! HELP!

Posted on 2007-03-30
6
643 Views
Last Modified: 2008-12-06
I have 2 sites.  Site A and Site B.  Each site has an internet T1 and an ipsec tunnel configured.  This configuration works perfectly.  Now I am trying to keep the internet T1 and use it for internet traffic and install a P2P T1 and use it for corporate traffic.  I can get the circuit up and running and ping back and forth without a problem.  As soon as I add a static route on each router to prefer to go over the new P2P T1, I can ICMP from one internet network to the other no problem.  However, on Site A I can RDP to Site B.  But Site B can not RDP to site A.  Now mind you that the only thing I did was change the routing!!  The tunnels work fine if I remove the static route or shutdown the P2P T1 interfaces.  This is a really strange problem!  I think there must be a simple solution.  Here are the configs:

Site A Router:

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SITE A
!
logging rate-limit console 10 except errors
enable secret 5 X
!
username admin privilege 15 password 7 XXXXX
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
!
!
no ip finger
no ip telnet comport enable
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
!
controller T1 1/0
 channel-group 0 timeslots 1-24
 description T1 to PACIS410
!
controller T1 1/1
 channel-group 0 timeslots 1-24
 description T1 to QOV400 (PROBLEM CIRCUIT)
!
controller T1 1/2
!
controller T1 1/3
!
!
interface FastEthernet0/0
 description to local LAN
 ip address 66.x.x.1 255.255.255.224
 duplex full
 speed 100
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0:0
 description PASGV to PACIS410  (NOT HAVING A PROBLEM WITH THIS CIRCUIT)
 bandwidth 1500
 ip address 10.2.1.1 255.255.255.252
 encapsulation ppp
!
interface Serial1/1:0
 description PASGV to QOV400 - (PROBLEM CIRCUIT)
 bandwidth 1500
 ip address 67.x.x.54 255.255.255.252
 encapsulation ppp
 shutdown
!
interface ATM2/0
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/1
 no ip address
 ima-group 1
!
interface ATM2/ima1
 description ATM-IMA TO PBI 4.5Mb
 ip address 64.x.x.x 255.255.255.252 (INTERNET)
 ip access-group 102 in
 no atm ilmi-keepalive
 pvc 2/35
  encapsulation aal5snap
 !
!
interface ATM2/2
 no ip address
 ima-group 1
!
interface ATM2/3
 no ip address
 ima-group 1
!
interface ATM2/4
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/5
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/6
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
interface ATM2/7
 no ip address
 shutdown
 no ima-group
 no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.174.126.201
ip route 67.x.x.48 255.255.255.252 67.x.x.53
ip route 216.x.x.6 255.255.255.255 10.2.1.2 (NOT HAVING A PROBLEM)
no ip http server
!
access-list 1 permit 66.x.x.3
access-list 102 deny   tcp any any range 135 139
access-list 102 deny   tcp any any eq 3389
access-list 102 deny   udp any any range 135 netbios-ss
access-list 102 deny   tcp any any eq 445
access-list 102 deny   udp any any eq 1434
access-list 102 deny   tcp any any eq telnet
access-list 102 deny   ip 207.150.160.0 0.0.3.255 any
access-list 102 permit ip any any
snmp-server community X
!
!
gatekeeper
 shutdown
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 access-class 1 in
 password 7 XXXXX
 login local
 transport input telnet
line vty 5 15
 no login
!
end

SITE B

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SITE B
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 51200 warnings
enable secret X
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!        
!        
no ip bootp server
no ip domain lookup
!        
!        
!        
crypto pki trustpoint TP-self-signed-3809913011
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3809913011
 revocation-check none
 rsakeypair TP-self-signed-3809913011
!        
!        
crypto pki certificate chain TP-self-signed-3809913011
 XXXX
  quit
username admin privilege 15 secret 5 XXXXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key X address 216.x.x.132
crypto isakmp key x address 66.x.x.18
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map qov 1 ipsec-isakmp
 set peer 216.x.x.132 (NOT HAVING A PROBLEM)
 set transform-set vpn
 match address 120
crypto map qov 2 ipsec-isakmp
 set peer 66.x.x.18 (TUNNEL OK WHEN GOING THROUGH INTERNET)
 set transform-set vpn
 match address 110
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Outside Interface from Nortel BCM50e s768k$ETH-WAN$$FW_OUTSIDE$
 ip address 67.x.x.50 255.255.255.252 (INTERNET, just trust me)
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 speed 10
 full-duplex
 no mop enabled
 crypto map qov
!
interface FastEthernet0/1
 description Internal Interface to 3COM Switch$ETH-LAN$$FW_INSIDE$
 ip address 10.1.116.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed 100
 full-duplex
 no mop enabled
!
interface Serial0/0/0
 bandwidth 1500
 ip address 67.x.x.53 255.255.255.252 (PROBLEM CIRCUIT)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.x.x.49 name NortelDefaultGateway
ip route 66.x.x.0 255.255.255.224 67.x.x.54
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Internet 67.x.x.50 67.x.x.50 netmask 255.255.255.240
ip nat inside source route-map nonat pool Internet overload
!
logging trap warnings
access-list 1 permit 10.1.116.0 0.0.0.255
access-list 2 permit 66.x.x.3
access-list 2 permit 10.1.116.0 0.0.0.255
access-list 2 permit 172.29.20.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 67.x.x.48 0.0.0.15 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 192.12.19.20
access-list 101 permit udp host 192.12.19.20 eq ntp host 67.x.x.50 eq ntp
access-list 101 permit ahp host 66.x.x.18 host 67.x.x.50
access-list 101 permit esp host 66.x.x.18 host 67.x.x.50
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 172.29.20.0 0.0.3.255 10.1.116.0 0.0.0.255
access-list 101 permit ahp host 216.x.x.132 host 67.x.x.50
access-list 101 permit esp host 216.x.x.132 host 67.x.x.50
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 10.1.100.0 0.0.0.255 10.1.116.0 0.0.0.255
access-list 101 deny   ip 10.1.116.0 0.0.0.255 any
access-list 101 permit icmp any host 67.x.x.50 echo-reply
access-list 101 permit icmp any host 67.x.x.50 time-exceeded
access-list 101 permit icmp any host 67.x.x.50 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 110 permit ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 120 permit ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny   ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny   ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 130 permit ip 10.1.116.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 130
!
!
!
control-plane
!
banner login ^CAuthorized access only.  This system is the property of X. Disconnect IMMEDIATELY as you are not an authorized user!  XXXXXX.^C
!
line con 0
 logging synchronous
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 2 in
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
sntp server 192.12.19.20
end


SITE A has a PIX 525 and like I said the tunnels work fine over the internet so let me know if you need me to post that config!!!!

Help.. this one really has me stumped!!!
0
Comment
Question by:groknit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18931884
This was posted a while ago, is it still an active problem?

You want to ipsec tunnel across the new line?  When you test, did you create a new crypto map (named differently from qov) and tie it to s0/0 on site b?

0
 

Author Comment

by:groknit
ID: 18967873
This is still an existing issue.  The crypto map should still be the same right? The only change is to the router...  I need the preferred traffic to go over the new line.  It does in 1 direction but not the other.
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18968971
when you enabled the ip route, did you add:
!
interface Serial0/0/0
  ip nat inside
!
to the to site "B  router?



0
 

Author Comment

by:groknit
ID: 19062548
No... can I NAT on both interfaces??  I guess maybe I would have to?
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question