Solved: GRE Tunnel routing problem

logic2

7/21/2008

actually i didnt look at the ACL in detail but what i can see is that your hosts will be natted
so to other networks they do exist with a different ip address, probably the WAN ip address
usually when we do an IPSEC tunnel between two sides we dont do natting
so try to remove the ip nat inside and see if it would work
i didnt check the ACLs in detail because the nat statement attracted me :)

wingatesl

7/21/2008

Change your static routes to point to the opposite side's Tunnel address. The NAT should not be a problem as you are not running nat on your tunnel interface. If you can ping across to the other tunnel, that means NAT has already been passed on the outside interface. Better yet, you can enable a dynamic routing protocol on each side

router eigrp 1
network 172.18.0.0 0.0.255.255

on both routers and you should be good.
Shawn

officeli0n

7/22/2008

ASKER

I did enable EIGRP and i still have the same issue. here is a eigrp topology. Should the networks be passive? hmmm

Clay#show ip eigrp topology
IP-EIGRP Topology Table for AS(20)/ID(208.125.212.18)
 
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
 
P 172.18.5.0/24, 1 successors, FD is 297244416
        via Connected, Tunnel1
P 172.18.2.0/24, 1 successors, FD is 297246976
        via 172.18.5.2 (297246976/28160), Tunnel1
P 172.18.3.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0

Open in new window

logic2

7/22/2008

am not sure but having the tunnel interface crossing the main interface i dont like this
moreover ACL 102 is blocking traffic from 172.18.2.0/24 to anywhere
access-list 102 deny ip 172.18.2.0 0.0.0.255 any
try removing ACL 102 off the interface and test again
i dont like this tunneling stuff actually
issue the sh ip nat translations to make sure that NAT is bypassed

officeli0n

7/22/2008

ASKER

I pulled the acl 102, still no ping. when i ran the show ip nat translation, nothing printed, it just went to prompt on next line. just to reiterate. I can ping accross network from telnet prompt, but not host to host. Any idea on the passive status for the eigrp topology? its been my experience that passive means ignore.

logic2

7/22/2008

and what about the other side does it have a similar ACL ?
i guess Shawn can answer you about EIGRP

officeli0n

7/23/2008

ASKER

I removed both acl 102's. I have attatched the full configs of each router, maybe there is something obvious i am missing. Where does the telnet session sit on the router? what interface? very very strange problem.

172.18.3.1 Router======================
Building configuration...
 
Current configuration : 12617 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cla
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
ip domain name domain.local
ip name-server 24.92.226.1
ip name-server 24.92.226.2
!
!
crypto pki trustpoint TP-self-signed-308984017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-308984017
 revocation-check none
 rsakeypair TP-self-signed-308984017
!
!
crypto pki certificate chain TP-self-signed-308984017
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33303839 38343031 37301E17 0D303731 31303932 30303033 
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3330 38393834 
  30313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  C4CBC2C8 B0CCAC36 67BAEFE3 397EC364 B8BFA066 0599F391 094D2BFD FBC88D57 
  2D35FE9A 4E6A4E39 F9E299C1 D131BC89 6104D611 82FA88C0 DE16CDEA 667BBC30 
  EA855AF7 411E4B9E 6AC5FC7A 8C4068DE DFC33EAF FAB954C2 EA194F30 211D7314 
  5DE7F946 9C8EF648 56314B96 51F5FDFC CD9BD460 84E2E8BF 8B75153B 7DD6054F 
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 
  11041630 14821243 6C61792E 636E7964 6961672E 6C6F6361 6C301F06 03551D23 
  04183016 801412E6 41C04F6F 4BBBA452 961A3F0F B574DA43 3C36301D 0603551D 
  0E041604 1412E641 C04F6F4B BBA45296 1A3F0FB5 74DA433C 36300D06 092A8648 
  86F70D01 01040500 03818100 05196B41 2C53A2D8 A27AF3B4 BA02361C C2E4150F 
  B0CA8431 8FD6C45E 61C2A449 960BAA9E CD547DD5 C7DC0C3D 4F037628 9F79269D 
  DD88081A A6CF639B 98FF883D 064E6A6C 74FC590A AF90F185 151A43A1 8E793D3E 
  3F1E51E1 45DF5CB0 BBD9EF8C 00CE7E65 89AC44C8 F0F3C5A1 913A25B0 7CDAAC6F 
  9F0C2178 1B5FB371 72B99149
  quit
username noop privilege 15 secret 5 $1$XeYV$.tN4ccNEbPfDs5mAnssgB.
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key pa$word address 208.125.212.21
crypto isakmp key pa$word address 208.125.212.17
crypto isakmp key pa$word address 208.125.212.18
crypto isakmp key pa$word address 24.213.143.15 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description ### Tunnel to South ###
 set peer 208.125.212.21
 set transform-set ESP-3DES-SHA 
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to208.125.212.17
 set peer 208.125.212.17
 set transform-set ESP-3DES-SHA3 
 match address 104
crypto map SDM_CMAP_1 3 ipsec-isakmp 
 description Tunnel to24.213.143.15
 set peer 24.213.143.15
 set transform-set ESP-3DES-SHA11 
 match address 105
crypto map SDM_CMAP_1 4 ipsec-isakmp 
 description Tunnel to24.213.143.15
 set peer 24.213.143.15
 set transform-set ESP-3DES-SHA13 
 match address 107
!
!
!
interface Tunnel1
 ip address 172.18.5.1 255.255.255.0
 ip access-group sdm_tunnel1_in in
 ip mask-reply
 ip mtu 1476
 ip route-cache flow
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination 24.213.143.15
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0
 description ### LAN - ###
 ip address 172.18.3.1 255.255.255.0
 ip access-group 100 in
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
!
interface FastEthernet0/1
 description ### WAN -  ###$ETH-WAN$
 ip address 208.125.212.18 255.255.255.252
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
 description ### - Access Port ###
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
 description ### Interface to ###$FW_OUTSIDE$
 ip address 10.121.17.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat inside
 ip virtual-reassembly
!
router eigrp 20
 passive-interface Vlan1
 network 172.18.0.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.125.212.17 name Default
ip route 10.121.1.0 255.255.255.0 10.121.17.1 name Itentive
ip route 10.121.15.0 255.255.255.0 10.121.17.1 name Itentive
ip route 172.18.5.0 255.255.255.0 Tunnel1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list extended sdm_tunnel1_in
 remark SDM_ACL Category=1
 permit ahp host 24.213.143.15 host 172.18.5.1
 permit esp host 24.213.143.15 host 172.18.5.1
 permit udp host 24.213.143.15 host 172.18.5.1 eq isakmp
 permit udp host 24.213.143.15 host 172.18.5.1 eq non500-isakmp
 permit gre host 24.213.143.15 host 208.125.212.18
 remark IPSec Rule
 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
 permit ahp host 208.125.212.17 host 172.18.5.1
 permit esp host 208.125.212.17 host 172.18.5.1
 permit udp host 208.125.212.17 host 172.18.5.1 eq isakmp
 permit udp host 208.125.212.17 host 172.18.5.1 eq non500-isakmp
 remark IPSec Rule
 permit ip 172.18.4.0 0.0.0.255 172.18.3.0 0.0.0.255
 permit ahp host 208.125.212.21 host 172.18.5.1
 permit esp host 208.125.212.21 host 172.18.5.1
 permit udp host 208.125.212.21 host 172.18.5.1 eq isakmp
 permit udp host 208.125.212.21 host 172.18.5.1 eq non500-isakmp
 remark IPSec Rule
 permit ip 172.18.1.0 0.0.0.255 172.18.3.0 0.0.0.255
 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
 permit ip host 172.18.3.209 host 172.18.2.161
!
access-list 1 remark For NAT to Internet
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.18.3.0 0.0.0.255
access-list 1 permit 10.121.17.0 0.0.0.255
access-list 23 permit 172.18.0.0 0.0.255.255
access-list 100 remark Inbound access list on LAN Interface
access-list 100 remark SDM_ACL Category=17
access-list 100 deny   ip 10.121.1.0 0.0.0.255 any
access-list 100 permit icmp any host 172.18.3.1
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 permit ip any any
access-list 101 remark Inbound access list on Itentive Interface
access-list 101 deny   ip 172.18.3.0 0.0.0.255 any
access-list 101 permit icmp any host 10.121.17.2
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 102 remark Inbound access list on Outside interface
access-list 102 remark SDM_ACL Category=16
access-list 102 permit icmp any any
access-list 102 permit gre host 24.213.143.15 host 208.125.212.18
access-list 102 permit udp host 24.213.143.15 host 208.125.212.18 eq non500-isakmp
access-list 102 permit udp host 24.213.143.15 host 208.125.212.18 eq isakmp
access-list 102 permit esp host 24.213.143.15 host 208.125.212.18
access-list 102 permit ahp host 24.213.143.15 host 208.125.212.18
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.4.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 102 permit udp host 208.125.212.17 host 208.125.212.18 eq non500-isakmp
access-list 102 permit udp host 208.125.212.17 host 208.125.212.18 eq isakmp
access-list 102 permit esp host 208.125.212.17 host 208.125.212.18
access-list 102 permit ahp host 208.125.212.17 host 208.125.212.18
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 102 permit udp host 208.125.212.21 host 208.125.212.18 eq non500-isakmp
access-list 102 permit udp host 208.125.212.21 host 208.125.212.18 eq isakmp
access-list 102 permit esp host 208.125.212.21 host 208.125.212.18
access-list 102 permit ahp host 208.125.212.21 host 208.125.212.18
access-list 102 deny   ip 10.121.17.0 0.0.0.255 any
access-list 102 deny   ip 172.18.3.0 0.0.0.255 any
access-list 102 permit icmp any host 208.125.212.18
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.3.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 172.18.3.0 0.0.0.255 172.18.4.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 permit gre host 208.125.212.18 host 24.213.143.15
access-list 107 remark SDM_ACL Category=4
access-list 107 permit gre host 208.125.212.18 host 24.213.143.15
access-list 107 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 110 remark SDM_ACL Category=2
access-list 110 deny   gre host 208.125.212.18 host 24.213.143.15
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.18.3.0 0.0.0.255 172.18.4.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.18.3.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 110 permit ip 10.121.17.0 0.0.0.255 any
access-list 110 permit ip 172.18.3.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
 match ip address 110
!
!
!
control-plane
!
banner login ^CCCCC
***************************************************************************
                                WARNING!!!
        This network device is private property.
        Unauthorized access is strictly prohibited and subject to
        prosecution under international, state, federal and local
        statutes. This device is subject to monitoring.  If you
        are unauthorized or do not consent to our network
        monitoring of usage, disconnect NOW.
 
 ****************************************************************************
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
END 172.18.3.1 Router=======================
 
 
172.18.2.1 Router==========================
 
 
Building configuration...
 
Current configuration : 13762 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Brittonfield
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name domain.local
ip name-server 24.92.226.1
ip name-server 24.92.226.2
!
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-399736215
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-399736215
 revocation-check none
 rsakeypair TP-self-signed-399736215
!
!
crypto pki certificate chain TP-self-signed-399736215
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393937 33363231 35301E17 0D303731 32303531 34313434 
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 39373336 
  32313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  AF212155 A68BB61A 7E4F1376 72BB1EF9 CFB38F59 56943CDA BB6762E0 2F5CA1CE 
  FF3C6795 0B75624E 96B0799C 8B5B8908 351B0EC5 CE6C23B5 F4513DF2 997CCF04 
  62DA3890 F0C1D585 2D1FCC18 29E22016 5E9AB128 6593515C 1F3B547D BF943482 
  2D891E47 399B4AC0 FE3AE4C9 0BDDEAB7 00F8B841 F117BEEB 4148AD6B D7434C65 
  02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D 
  11041E30 1C821A42 72697474 6F6E6669 656C642E 636E7964 6961672E 6C6F6361 
  6C301F06 03551D23 04183016 8014F95A 7CA2031A B9BB3360 54AB107B E8403317 
  EF1F301D 0603551D 0E041604 14F95A7C A2031AB9 BB336054 AB107BE8 403317EF 
  1F300D06 092A8648 86F70D01 01040500 03818100 4E9C1CD0 1BDD7430 88ED22B5 
  B614270B 17397AFF F6F399BA 8A8CABA8 E728E41F 3C9345DA 40399595 01B68772 
  7442BF9B 69031518 1137FBA5 4F699C93 3328001F 68444EC1 24922719 06EDD8AB 
  0478E3B1 1B081309 2B9F80EA 12D5121B B4F20A0E DD9A9B85 A10768CB 52995D83 
  58308897 9B7A5E1D 5ADCCF9E 8638A835 56FEA126
  quit
username noop privilege 15 secret 5 $1$XeYV$.tN4ccNEbPfDs5mAnssgB.
username confirm privilege 15 secret 5 $1$urYX$ZhR683uJqoTpU2uoX2/tv0
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pa$word address 208.125.212.21 no-xauth
crypto isakmp key pa$word address 208.125.212.17
crypto isakmp key pa$word address 208.125.212.18 no-xauth
crypto isakmp xauth timeout 15
 
!
crypto isakmp client configuration group cadstream_remote
 key !scanner%01
 dns 10.121.1.5
 pool VPN_IPpool
 acl 104
!
crypto isakmp client configuration group confirma
 key 2B13786DDDA08D67
 dns 10.121.1.5
 pool VPN_IPpool
 acl 104
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA3 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description ### Tunnel to Sout ###
 set peer 208.125.212.21
 set transform-set ESP-3DES-SHA 
 match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp 
 description Tunnel to208.125.212.18
 set peer 208.125.212.18
 set transform-set ESP-3DES-SHA3 
 match address 111
crypto map SDM_CMAP_1 4 ipsec-isakmp 
 description Tunnel to208.125.212.18
 set peer 208.125.212.18
 set transform-set ESP-3DES-SHA10 
 match address 107
!
!
!
interface Tunnel1
 ip address 172.18.5.2 255.255.255.0
 ip access-group sdm_tunnel1_in in
 ip mtu 1476
 tunnel source FastEthernet0/1
 tunnel destination 208.125.212.18
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0
 description ### LAN - ###
 ip address 172.18.2.1 255.255.255.0
 ip access-group 100 in
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ### WAN ###$ETH-WAN$
 ip address 24.213.143.15 255.255.255.252
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
 description ###  network - Access Port ###
 no ip address
!
interface FastEthernet0/0/1
 switchport access vlan 2
 no ip address
!
interface FastEthernet0/0/2
 switchport access vlan 2
 no ip address
!
interface FastEthernet0/0/3
 switchport access vlan 2
 no ip address
!
interface Vlan1
 description ### Inte I ###$FW_OUTSIDE$
 ip address 10.121.16.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 149.98.213.1 255.255.255.0
!
router eigrp 20
 passive-interface Vlan1
 passive-interface Vlan2
 network 172.18.0.0
 no auto-summary
!
ip local pool VPN_IPpool 172.16.77.97 172.16.77.102
ip classless
ip route 0.0.0.0 0.0.0.0 24.213.143.1 name Default
ip route 10.121.0.0 255.255.0.0 10.121.16.1 name Ie
ip route 149.98.213.0 255.255.255.0 10.121.16.1 permanent
ip route 172.18.5.0 255.255.255.0 Tunnel1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list extended sdm_tunnel1_in
 remark SDM_ACL Category=1
 permit ahp host 208.125.212.18 host 172.18.5.2
 permit esp host 208.125.212.18 host 172.18.5.2
 permit udp host 208.125.212.18 host 172.18.5.2 eq isakmp
 permit udp host 208.125.212.18 host 172.18.5.2 eq non500-isakmp
 permit gre host 208.125.212.18 host 24.213.143.15
 remark IPSec Rule
 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
 permit ahp host 208.125.212.21 host 172.18.5.2
 permit esp host 208.125.212.21 host 172.18.5.2
 permit udp host 208.125.212.21 host 172.18.5.2 eq isakmp
 permit udp host 208.125.212.21 host 172.18.5.2 eq non500-isakmp
 remark IPSec Rule
 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255
 permit ip host 172.18.3.209 host 172.18.2.161
 permit ip host 208.125.212.18 host 172.18.2.161
 permit ip any any
!
access-list 1 remark For NAT to Internet
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.18.2.0 0.0.0.255
access-list 1 permit 10.121.16.0 0.0.0.255
access-list 23 permit 172.18.0.0 0.0.255.255
access-list 100 remark Inbound access list on LAN Interface
access-list 100 remark SDM_ACL Category=17
access-list 100 deny   ip 10.121.1.0 0.0.0.255 any
access-list 100 permit icmp any host 172.18.2.1
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 permit ip 172.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
access-list 100 permit ip any any
access-list 101 remark Inbound access list on Itentive Interface
access-list 101 deny   ip 172.18.2.0 0.0.0.255 any
access-list 101 permit icmp any host 10.121.16.2
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 102 remark Inbound access list on Outside interface
access-list 102 remark SDM_ACL Category=16
access-list 102 permit icmp any any
access-list 102 permit gre host 208.125.212.18 host 24.213.143.15
access-list 102 permit udp host 208.125.212.18 host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp host 208.125.212.18 host 24.213.143.15 eq isakmp
access-list 102 permit esp host 208.125.212.18 host 24.213.143.15
access-list 102 permit ahp host 208.125.212.18 host 24.213.143.15
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 172.18.2.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 172.16.77.96 0.0.0.7
access-list 102 permit ip 172.16.77.96 0.0.0.7 149.98.213.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 10.121.0.0 0.0.255.255
access-list 102 permit udp host 208.125.212.21 host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp host 208.125.212.21 host 24.213.143.15 eq isakmp
access-list 102 permit esp host 208.125.212.21 host 24.213.143.15
access-list 102 permit ahp host 208.125.212.21 host 24.213.143.15
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit udp any host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp any host 24.213.143.15 eq isakmp
access-list 102 permit esp any host 24.213.143.15
access-list 102 permit ahp any host 24.213.143.15
access-list 102 deny   ip 10.121.16.0 0.0.0.255 any
access-list 102 deny   ip 172.18.2.0 0.0.0.255 any
access-list 102 permit icmp any host 24.213.143.15
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 103 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 104 remark ### Access list for remote VPN users ###
access-list 104 remark SDM_ACL Category=20
access-list 104 permit ip 172.18.2.0 0.0.0.255 172.16.77.96 0.0.0.7
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 permit gre host 24.213.143.15 host 208.125.212.18
access-list 107 remark SDM_ACL Category=4
access-list 107 permit gre host 24.213.143.15 host 208.125.212.18
access-list 107 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 110 remark SDM_ACL Category=2
access-list 110 deny   gre host 24.213.143.15 host 208.125.212.18
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 110 deny   ip 172.18.2.0 0.0.0.255 172.16.77.96 0.0.0.7
access-list 110 deny   ip 149.98.213.0 0.0.0.255 172.16.77.96 0.0.0.7
access-list 110 deny   ip 10.121.0.0 0.0.255.255 172.16.77.96 0.0.0.7
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 110 permit ip 10.121.16.0 0.0.0.255 any
access-list 110 permit ip 172.18.2.0 0.0.0.255 any
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
 match ip address 110
!
!
!
control-plane
!
banner login ^CCCC
***************************************************************************
                                WARNING!!!
        This network device is private property.
        Unauthorized access is strictly prohibited and subject to
        prosecution under international, state, federal and local
        statutes. This device is subject to monitoring.  If you
        are unauthorized or do not consent to our network
        monitoring of usage, disconnect NOW.
****************************************************************************
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
 
end 172.18.2.1 router

Open in new window

officeli0n

7/23/2008

ASKER

For what its worth here is the show crypto sessions of both routers. Not sure on why the UP-NO-IKE. the reasoning from cisco isn't very helpful. THanks in advance

172.18.2.1RTR#show crypto session
Crypto session current status
 
Interface: Tunnel1
Session status: UP-NO-IKE
Peer: 208.125.212.18 port 500
  IPSEC FLOW: permit 47 host 24.213.143.15 host 208.125.212.18
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit 47 host 24.213.143.15 host 208.125.212.18
        Active SAs: 2, origin: crypto map
 
Interface: Tunnel1
Session status: UP-NO-IKE
Peer: 208.125.212.21 port 500
  IPSEC FLOW: permit ip 172.18.2.0/255.255.255.0 172.18.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.18.2.0/255.255.255.0 172.18.3.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.18.2.0/255.255.255.0 172.18.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.18.2.0/255.255.255.0 172.18.3.0/255.255.255.0
        Active SAs: 0, origin: crypto map
 
Interface: FastEthernet0/1
Session status: UP-NO-IKE
Peer: 208.125.212.18 port 500
  IKE SA: local 24.213.143.15/500 remote 208.125.212.18/500 Inactive
 
Interface: Tunnel1
Session status: UP-IDLE
Peer: 208.125.212.21 port 500
  IKE SA: local 24.213.143.15/500 remote 208.125.212.21/500 Active
=============================================================
172.18.3.1RTR#show crypto session
Crypto session current status
 
Interface: Tunnel1 FastEthernet0/1
Session status: UP-NO-IKE
Peer: 24.213.143.15 port 500
  IPSEC FLOW: permit 47 host 208.125.212.18 host 24.213.143.15
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.18.3.0/255.255.255.0 172.18.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
 
Interface: Tunnel1 FastEthernet0/1
Session status: UP-ACTIVE
Peer: 208.125.212.21 port 500
  IKE SA: local 208.125.212.18/500 remote 208.125.212.21/500 Active
  IPSEC FLOW: permit ip 172.18.3.0/255.255.255.0 172.18.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map
 
Interface: Tunnel1 FastEthernet0/1
Session status: UP-ACTIVE
Peer: 208.125.212.17 port 500
  IKE SA: local 208.125.212.18/500 remote 208.125.212.17/500 Active
  IPSEC FLOW: permit ip 172.18.3.0/255.255.255.0 172.18.4.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Open in new window

wingatesl

7/23/2008

Passive means not to broadcast on that network. Lets try removing the ACLs from the tunnel interfaces and see if it makes a difference
Shawn

officeli0n

7/23/2008

ASKER

Shawn,
I removed the acls on the tunnel, still no luck. i am leaving these acls off on the wan and tunnel. so the passive means not to broadcast. will that have anything to do with the eigrp? should i try a static route?

wingatesl

7/23/2008

EIGRP is functioning correctly
P 172.18.2.0/24, 1 successors, FD is 297246976
via 172.18.5.2 (297246976/28160), Tunnel1

Means that the router knows to get 172.18.2.0 over tunnel1

From that router can you ping 172.8.2.1? If you can, you will need to do an extended ping with a source interface on the inside of your network.

wingatesl

7/23/2008

access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.3.0 0.0.0.255 172.18.1.0 0.0.0.255

should read
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
^

on the first router

officeli0n

7/23/2008

ASKER

So the P in front of the eigrp topology doesnt matter? Just making sure. The telnet session im getting to by telnetting to 172.18.3.1/2.1, from that prompt I can ping across tunnel to the oposite router and hosts, so example: i can ping 172.18.3.22 from the .2.1 router. But i cannot ping .2.1 router from 172.18.3.22.

how can i do an extended ping from a different source interface?

In regards to acl 103, that is not applied to that interface that i can see. that is for a different tunnel that is up and working properly.

is there anyway to see what happends to the packets when they leave the .5.x end of the tunnel?

wingatesl

7/23/2008

There is only on GRE tunnel on that first router
set transform-set ESP-3DES-SHA13
match address 107
!
!
!
interface Tunnel1
ip address 172.18.5.1 255.255.255.0
ip access-group sdm_tunnel1_in in
ip mask-reply
ip mtu 1476
ip route-cache flow
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination 24.213.143.15
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
description ### LAN - ###
ip address 172.18.3.1 255.255.255.0

officeli0n

7/25/2008

ASKER

Yes there is only 1 GRE Tunnel, the other tunnel is an ipsec pt to pt. Sorry about that confusion. I can't figure out what I'm missing here?

officeli0n

7/25/2008

ASKER

This frustrates me... From 2.1 router, trace and ping. From 2.105 Wkstn, request timed out.

====TRACE=====
172.18.2.1RTR#trace 172.18.3.209

Type escape sequence to abort.
Tracing the route to 172.18.3.209

1 172.18.5.1 36 msec 28 msec 24 msec
2 172.18.3.209 28 msec 24 msec 40 msec

====PING=====
172.18.2.1RTR#ping 172.18.3.209

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.3.209, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 ms
172.18.2.1RTR#

Anyone with any ideas?