groknit
asked on
Cisco Routing Issue over Point-To-Point T1 - TUNNEL Works fine over Internet Circuits!! HELP!
I have 2 sites. Site A and Site B. Each site has an internet T1 and an ipsec tunnel configured. This configuration works perfectly. Now I am trying to keep the internet T1 and use it for internet traffic and install a P2P T1 and use it for corporate traffic. I can get the circuit up and running and ping back and forth without a problem. As soon as I add a static route on each router to prefer to go over the new P2P T1, I can ICMP from one internet network to the other no problem. However, on Site A I can RDP to Site B. But Site B can not RDP to site A. Now mind you that the only thing I did was change the routing!! The tunnels work fine if I remove the static route or shutdown the P2P T1 interfaces. This is a really strange problem! I think there must be a simple solution. Here are the configs:
Site A Router:
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SITE A
!
logging rate-limit console 10 except errors
enable secret 5 X
!
username admin privilege 15 password 7 XXXXX
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
!
!
no ip finger
no ip telnet comport enable
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
!
controller T1 1/0
channel-group 0 timeslots 1-24
description T1 to PACIS410
!
controller T1 1/1
channel-group 0 timeslots 1-24
description T1 to QOV400 (PROBLEM CIRCUIT)
!
controller T1 1/2
!
controller T1 1/3
!
!
interface FastEthernet0/0
description to local LAN
ip address 66.x.x.1 255.255.255.224
duplex full
speed 100
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0:0
description PASGV to PACIS410 (NOT HAVING A PROBLEM WITH THIS CIRCUIT)
bandwidth 1500
ip address 10.2.1.1 255.255.255.252
encapsulation ppp
!
interface Serial1/1:0
description PASGV to QOV400 - (PROBLEM CIRCUIT)
bandwidth 1500
ip address 67.x.x.54 255.255.255.252
encapsulation ppp
shutdown
!
interface ATM2/0
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/1
no ip address
ima-group 1
!
interface ATM2/ima1
description ATM-IMA TO PBI 4.5Mb
ip address 64.x.x.x 255.255.255.252 (INTERNET)
ip access-group 102 in
no atm ilmi-keepalive
pvc 2/35
encapsulation aal5snap
!
!
interface ATM2/2
no ip address
ima-group 1
!
interface ATM2/3
no ip address
ima-group 1
!
interface ATM2/4
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/5
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/6
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/7
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.174.126.201
ip route 67.x.x.48 255.255.255.252 67.x.x.53
ip route 216.x.x.6 255.255.255.255 10.2.1.2 (NOT HAVING A PROBLEM)
no ip http server
!
access-list 1 permit 66.x.x.3
access-list 102 deny tcp any any range 135 139
access-list 102 deny tcp any any eq 3389
access-list 102 deny udp any any range 135 netbios-ss
access-list 102 deny tcp any any eq 445
access-list 102 deny udp any any eq 1434
access-list 102 deny tcp any any eq telnet
access-list 102 deny ip 207.150.160.0 0.0.3.255 any
access-list 102 permit ip any any
snmp-server community X
!
!
gatekeeper
shutdown
!
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXX
login local
transport input telnet
line vty 5 15
no login
!
end
SITE B
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SITE B
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 51200 warnings
enable secret X
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
no ip domain lookup
!
!
!
crypto pki trustpoint TP-self-signed-3809913011
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-38099 13011
revocation-check none
rsakeypair TP-self-signed-3809913011
!
!
crypto pki certificate chain TP-self-signed-3809913011
XXXX
quit
username admin privilege 15 secret 5 XXXXXX
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key X address 216.x.x.132
crypto isakmp key x address 66.x.x.18
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map qov 1 ipsec-isakmp
set peer 216.x.x.132 (NOT HAVING A PROBLEM)
set transform-set vpn
match address 120
crypto map qov 2 ipsec-isakmp
set peer 66.x.x.18 (TUNNEL OK WHEN GOING THROUGH INTERNET)
set transform-set vpn
match address 110
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside Interface from Nortel BCM50e s768k$ETH-WAN$$FW_OUTSIDE$
ip address 67.x.x.50 255.255.255.252 (INTERNET, just trust me)
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 10
full-duplex
no mop enabled
crypto map qov
!
interface FastEthernet0/1
description Internal Interface to 3COM Switch$ETH-LAN$$FW_INSIDE$
ip address 10.1.116.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no mop enabled
!
interface Serial0/0/0
bandwidth 1500
ip address 67.x.x.53 255.255.255.252 (PROBLEM CIRCUIT)
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.x.x.49 name NortelDefaultGateway
ip route 66.x.x.0 255.255.255.224 67.x.x.54
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Internet 67.x.x.50 67.x.x.50 netmask 255.255.255.240
ip nat inside source route-map nonat pool Internet overload
!
logging trap warnings
access-list 1 permit 10.1.116.0 0.0.0.255
access-list 2 permit 66.x.x.3
access-list 2 permit 10.1.116.0 0.0.0.255
access-list 2 permit 172.29.20.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 67.x.x.48 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 192.12.19.20
access-list 101 permit udp host 192.12.19.20 eq ntp host 67.x.x.50 eq ntp
access-list 101 permit ahp host 66.x.x.18 host 67.x.x.50
access-list 101 permit esp host 66.x.x.18 host 67.x.x.50
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 172.29.20.0 0.0.3.255 10.1.116.0 0.0.0.255
access-list 101 permit ahp host 216.x.x.132 host 67.x.x.50
access-list 101 permit esp host 216.x.x.132 host 67.x.x.50
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 10.1.100.0 0.0.0.255 10.1.116.0 0.0.0.255
access-list 101 deny ip 10.1.116.0 0.0.0.255 any
access-list 101 permit icmp any host 67.x.x.50 echo-reply
access-list 101 permit icmp any host 67.x.x.50 time-exceeded
access-list 101 permit icmp any host 67.x.x.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 110 permit ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 120 permit ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 130 permit ip 10.1.116.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 130
!
!
!
control-plane
!
banner login ^CAuthorized access only. This system is the property of X. Disconnect IMMEDIATELY as you are not an authorized user! XXXXXX.^C
!
line con 0
logging synchronous
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 2 in
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
sntp server 192.12.19.20
end
SITE A has a PIX 525 and like I said the tunnels work fine over the internet so let me know if you need me to post that config!!!!
Help.. this one really has me stumped!!!
Site A Router:
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SITE A
!
logging rate-limit console 10 except errors
enable secret 5 X
!
username admin privilege 15 password 7 XXXXX
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
!
!
no ip finger
no ip telnet comport enable
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
!
controller T1 1/0
channel-group 0 timeslots 1-24
description T1 to PACIS410
!
controller T1 1/1
channel-group 0 timeslots 1-24
description T1 to QOV400 (PROBLEM CIRCUIT)
!
controller T1 1/2
!
controller T1 1/3
!
!
interface FastEthernet0/0
description to local LAN
ip address 66.x.x.1 255.255.255.224
duplex full
speed 100
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0:0
description PASGV to PACIS410 (NOT HAVING A PROBLEM WITH THIS CIRCUIT)
bandwidth 1500
ip address 10.2.1.1 255.255.255.252
encapsulation ppp
!
interface Serial1/1:0
description PASGV to QOV400 - (PROBLEM CIRCUIT)
bandwidth 1500
ip address 67.x.x.54 255.255.255.252
encapsulation ppp
shutdown
!
interface ATM2/0
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/1
no ip address
ima-group 1
!
interface ATM2/ima1
description ATM-IMA TO PBI 4.5Mb
ip address 64.x.x.x 255.255.255.252 (INTERNET)
ip access-group 102 in
no atm ilmi-keepalive
pvc 2/35
encapsulation aal5snap
!
!
interface ATM2/2
no ip address
ima-group 1
!
interface ATM2/3
no ip address
ima-group 1
!
interface ATM2/4
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/5
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/6
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM2/7
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.174.126.201
ip route 67.x.x.48 255.255.255.252 67.x.x.53
ip route 216.x.x.6 255.255.255.255 10.2.1.2 (NOT HAVING A PROBLEM)
no ip http server
!
access-list 1 permit 66.x.x.3
access-list 102 deny tcp any any range 135 139
access-list 102 deny tcp any any eq 3389
access-list 102 deny udp any any range 135 netbios-ss
access-list 102 deny tcp any any eq 445
access-list 102 deny udp any any eq 1434
access-list 102 deny tcp any any eq telnet
access-list 102 deny ip 207.150.160.0 0.0.3.255 any
access-list 102 permit ip any any
snmp-server community X
!
!
gatekeeper
shutdown
!
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXX
login local
transport input telnet
line vty 5 15
no login
!
end
SITE B
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SITE B
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 51200 warnings
enable secret X
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
no ip domain lookup
!
!
!
crypto pki trustpoint TP-self-signed-3809913011
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3809913011
!
!
crypto pki certificate chain TP-self-signed-3809913011
XXXX
quit
username admin privilege 15 secret 5 XXXXXX
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key X address 216.x.x.132
crypto isakmp key x address 66.x.x.18
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map qov 1 ipsec-isakmp
set peer 216.x.x.132 (NOT HAVING A PROBLEM)
set transform-set vpn
match address 120
crypto map qov 2 ipsec-isakmp
set peer 66.x.x.18 (TUNNEL OK WHEN GOING THROUGH INTERNET)
set transform-set vpn
match address 110
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside Interface from Nortel BCM50e s768k$ETH-WAN$$FW_OUTSIDE$
ip address 67.x.x.50 255.255.255.252 (INTERNET, just trust me)
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 10
full-duplex
no mop enabled
crypto map qov
!
interface FastEthernet0/1
description Internal Interface to 3COM Switch$ETH-LAN$$FW_INSIDE$
ip address 10.1.116.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no mop enabled
!
interface Serial0/0/0
bandwidth 1500
ip address 67.x.x.53 255.255.255.252 (PROBLEM CIRCUIT)
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.x.x.49 name NortelDefaultGateway
ip route 66.x.x.0 255.255.255.224 67.x.x.54
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Internet 67.x.x.50 67.x.x.50 netmask 255.255.255.240
ip nat inside source route-map nonat pool Internet overload
!
logging trap warnings
access-list 1 permit 10.1.116.0 0.0.0.255
access-list 2 permit 66.x.x.3
access-list 2 permit 10.1.116.0 0.0.0.255
access-list 2 permit 172.29.20.0 0.0.3.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 67.x.x.48 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 192.12.19.20
access-list 101 permit udp host 192.12.19.20 eq ntp host 67.x.x.50 eq ntp
access-list 101 permit ahp host 66.x.x.18 host 67.x.x.50
access-list 101 permit esp host 66.x.x.18 host 67.x.x.50
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 66.x.x.18 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 172.29.20.0 0.0.3.255 10.1.116.0 0.0.0.255
access-list 101 permit ahp host 216.x.x.132 host 67.x.x.50
access-list 101 permit esp host 216.x.x.132 host 67.x.x.50
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq isakmp
access-list 101 permit udp host 216.x.x.132 host 67.x.x.50 eq non500-isakmp
access-list 101 permit ip 10.1.100.0 0.0.0.255 10.1.116.0 0.0.0.255
access-list 101 deny ip 10.1.116.0 0.0.0.255 any
access-list 101 permit icmp any host 67.x.x.50 echo-reply
access-list 101 permit icmp any host 67.x.x.50 time-exceeded
access-list 101 permit icmp any host 67.x.x.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 110 permit ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 120 permit ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny ip 10.1.116.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 130 deny ip 10.1.116.0 0.0.0.255 172.29.20.0 0.0.3.255
access-list 130 permit ip 10.1.116.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 130
!
!
!
control-plane
!
banner login ^CAuthorized access only. This system is the property of X. Disconnect IMMEDIATELY as you are not an authorized user! XXXXXX.^C
!
line con 0
logging synchronous
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 2 in
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
sntp server 192.12.19.20
end
SITE A has a PIX 525 and like I said the tunnels work fine over the internet so let me know if you need me to post that config!!!!
Help.. this one really has me stumped!!!
ASKER
This is still an existing issue. The crypto map should still be the same right? The only change is to the router... I need the preferred traffic to go over the new line. It does in 1 direction but not the other.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No... can I NAT on both interfaces?? I guess maybe I would have to?
You want to ipsec tunnel across the new line? When you test, did you create a new crypto map (named differently from qov) and tie it to s0/0 on site b?