Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

VPN tunnel cisco 837

Posted on 2009-02-12
10
Medium Priority
?
673 Views
Last Modified: 2012-05-06
Hello,
I have configured an 837 vpn tunnel, my problem is that I cannot connect in to network devices like printers network drives computers etc via the site to site vpn tunnel...I can however ping and get a reply and also connect remotley to the routers config via SDM and telnet. I am remotley connecting from the network 90.x.x.152 ad you will se my config.
There are no firewalls blocking the connection unless of course the 837 is blocking the connection. Could someone please help?
Using 5272 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCF-RTR-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 
enable password password
!
username username privilege 15 password 0 password
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.14.1.1 10.14.1.49
ip dhcp excluded-address 10.14.1.101 10.14.1.254
!
ip dhcp pool default
   import all
   network 10.14.1.0 255.255.255.0
   dns-server 62.24.128.17 62.24.128.18
   default-router 10.14.1.1
!
!
ip name-server 62.24.128.18
ip name-server 62.24.128.17
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 90.x.x.162
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to90.x.x.162
 set peer 90.x.x.162
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.14.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 92.x.x,47 255.255.255.128
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname user address
 ppp chap password 0 user password
 ppp pap sent-username user address password 0 user password
 crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.14.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 92.24.4.0 0.0.0.127 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.100.0 0.0.0.25 10.14.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.14.1.0 0.0.0.255
access-list 101 permit udp host 90.x.x.162 host 92.x.x,47 eq non500-isakmp
access-list 101 permit udp host 90.x.x.162 host 92.x.x,47 eq isakmp
access-list 101 permit esp host 90.x.x.162 host 92.x.x,47
access-list 101 permit ahp host 90.x.x.162 host 92.x.x,47
access-list 101 permit udp host 62.24.128.17 eq domain any
access-list 101 permit udp host 62.24.128.18 eq domain any
access-list 101 deny   ip 10.14.1.0 0.0.0.255 any
access-list 101 permit icmp any host 92.x.x,47 echo-reply
access-list 101 permit icmp any host 92.x.x,47 time-exceeded
access-list 101 permit icmp any host 92.x.x,47 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.14.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 10.14.1.0 0.0.0.255 192.168.100.0 0.0.0.25
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 10.14.1.0 0.0.0.255 192.168.100.0 0.0.0.25
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.14.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.14.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password password
 login
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

Open in new window

0
Comment
Question by:Dan560
  • 4
  • 4
  • 2
10 Comments
 
LVL 8

Accepted Solution

by:
MrJemson earned 1200 total points
ID: 23627708
Turn off SPI.
0
 
LVL 10

Assisted Solution

by:kyleb84
kyleb84 earned 800 total points
ID: 23627726
Attached is an IPSEC w/GRE tunnel config of a working VPN...

Looks to me like your trying to do a transport mode tunnel which is unfamiliar to me...

Anyway, i've changed most of it to suite your network... just read through it and change what you need.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ipsec-template
!
boot-start-marker
boot-end-marker
!
logging buffered 32768
no logging console
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 10.14.1.0 10.14.1.50
!
ip dhcp pool lan-pool
   network 10.14.1.0 255.255.255.0
   dns-server x.x.x.x y.y.y.y
   default-router 10.14.1.1
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name test.local
!
!
!
username root privilege 15 password 0 TiB@suP!#
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cryptokey4vpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to [REMOTE WAN IP]
 set peer [REMOTE WAN IP]
 set transform-set ESP-3DES-SHA
 match address 100
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 ip address 192.168.99.2 255.255.255.252
 ip mtu 1420
 tunnel source Dialer0
 tunnel destination [REMOTE WAN IP]
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 10.14.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname host@email
 ppp chap password 0 password
 crypto map SDM_CMAP_1
!
router rip
 version 2
 passive-interface FastEthernet0
 passive-interface FastEthernet1
 passive-interface FastEthernet2
 passive-interface FastEthernet3
 passive-interface ATM0
 passive-interface Vlan1
 passive-interface Dialer0
 network 192.168.99.0
 network 10.14.1.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nat_rmap interface Dialer0 overload
!
ip access-list extended acl_nat
 permit ip 10.14.1.0 0.0.0.255 any
!
access-list 22 permit 10.14.1.0 0.0.0.255
!
access-list 100 permit gre host [LOCAL WAN IP] host [REMOTE WAN IP]
access-list 100 permit gre host [REMOTE WAN IP] host [LOCAL WAN IP]
!
route-map nat_rmap permit 1
 match ip address acl_nat
!
!
control-plane
!
!
line con 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 2
 access-class 22 in
 exec-timeout 20 0
 privilege level 15
 transport input telnet ssh
line vty 3 4
 exec-timeout 20 0
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 10

Expert Comment

by:kyleb84
ID: 23627788
I should add that to make the config suitable for the other end of the link:
- Tunnel 0's IP address should be: ip address 192.168.99.1 255.255.255.252
- You should search and replace 10.14.1.0 everywhere with your remote LAN's network


When you first load the proper configs on both sites, you'll have to wait a while for it to come up and for the RIPv2 to distribute.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:Dan560
ID: 23630385
how do i turn off spi? thanks kyle, i will also try your solution
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23638295
Kyle's configuration has turned off spi also.
It's done by removing the "ip inspect..." type commands.
Which he has removed in his configuration.
You can also issue the "no ip insect .... " command to remove the specific "ip inspect ..." commands.
0
 
LVL 2

Author Comment

by:Dan560
ID: 23638509
can I switch them all off or do I have to go through the following?
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
 
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23639446
Do the follwoing:

conf t
int Dialer 0
no ip inspect SDM_LOW out

The above is defining the rules for SPI, the "ip inspect SDM_LOW out" command enables in on a selected interface.
0
 
LVL 2

Author Comment

by:Dan560
ID: 23640260
I think I may have made a mistake I did the command "no ip inspect".
and I think it may have removed the firewall, because when I looked at the config through sdm, it said firewall policies are inactive.
However the VPN started to work, but I havent tested connectivity to all network devices because they may be turn off becuase its the weekend.
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23640491
No mistake.

SPI is a _type_ of firewall that is quite often more of a hinderance than a help.
1) You are using NAT anyway, so nothing is getting in unless you specifically forward it.
2) You access lists there which is the best firewall going around.

All SPI (Stateful Packet Inspection) does is look at a packet coming in, autopsy it to make sure its not something else in disguise and sends it on its way. This is extra overhead on you router and network as a whole that is totally unnecessary. Leaving it off will not cause you any harm.
0
 
LVL 2

Author Comment

by:Dan560
ID: 23648304
Oh no! i turned it off and no one can access the internet. I can remotley connect in fine, but no one browse the net...
check out this question
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24146070.html 
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question