occs07
asked on
Can someone help me with my vpn and access list.
I setup a site to site vpn and all works well but for some reason when I apply my access list 111 I am able to ping both sides of the internal network for about 5 minutes, then I lose connectivity to the internet on both sides (RouterA and on RouterB).
--------------
ROUTER A |
--------------
:
CARC1.CR1.1#sh run
Building configuration...
Current configuration : 5280 bytes
!
! Last configuration change at 21:26:56 PST Wed Feb 11 2009
! NVRAM config last updated at 00:09:26 PST Wed Feb 11 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CARC1.CR1.1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******************
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.50.1 10.100.50.99
ip dhcp excluded-address 10.100.51.1 10.100.51.99
ip dhcp excluded-address 10.100.10.1 10.100.10.99
ip dhcp excluded-address 10.100.20.1 10.100.20.99
ip dhcp excluded-address 10.100.21.1 10.100.21.99
ip dhcp excluded-address 10.100.11.1 10.100.11.99
!
ip dhcp pool VoIP
network 10.100.50.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.50.1
option 150 ip 10.100.50.2
!
ip dhcp pool Vonage
network 10.100.51.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.51.1
!
ip dhcp pool Wireless
network 10.100.20.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.20.1
!
ip dhcp pool Guest_Wireless
network 10.100.21.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.21.1
!
ip dhcp pool Servers
network 10.100.10.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.10.1
!
ip dhcp pool Workstations
network 10.100.11.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.11.1
!
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC 10 ipsec-isakmp
! Incomplete
set peer 69.231.46.244
set transform-set HSNC
set pfs group2
match address 111
!
!
!
!
interface FastEthernet0/0
description Connection to AT&T
ip address dhcp
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
speed 100
full-duplex
crypto map HSNC
!
interface FastEthernet1/0
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/1
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/2
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/3
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/4
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/5
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/6
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/7
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/8
description Uplink to SW1
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet1/9
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1/10
description Vonage Port
switchport access vlan 51
spanning-tree portfast
!
interface FastEthernet1/11
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1/12
spanning-tree portfast
!
interface FastEthernet1/13
spanning-tree portfast
!
interface FastEthernet1/14
spanning-tree portfast
!
interface FastEthernet1/15
switchport access vlan 11
spanning-tree portfast
!
interface Vlan1
description Private Lan
ip address 10.100.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description IPTV Vlan
ip address 10.100.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan11
description VM Vlan
ip address 10.100.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Wireless Vlan
ip address 10.100.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan21
description Guest Wireless
ip address 10.100.21.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
interface Vlan50
description VoIP Vlan
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan51
description Vonage Vlan
ip address 10.100.51.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.100.10.254 21 99.176.59.238 21 extendable
ip nat inside source static tcp 10.100.50.2 80 99.176.59.238 80 extendable
!
access-list 100 permit ip 10.100.0.0 0.0.255.255 any
access-list 111 permit ip 99.176.59.238 255.255.255.255 69.231.46.244 255.255.255.255
snmp-server community public RO
snmp-server host 10.100.11.253 public
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 ******************
login
line vty 5 15
password 7 ******************
login
!
ntp clock-period 17179762
ntp server 64.125.78.85
!
end
---------------
ROUTER B: |
---------------
2600_Home#sh run
Building configuration...
Current configuration : 2387 bytes
!
! Last configuration change at 09:53:09 PST Wed Feb 11 2009
! NVRAM config last updated at 09:53:12 PST Wed Feb 11 2009
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2600_Home
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-26 .bin
boot-end-marker
!
enable secret 5 ***************
enable password 7 ***************
!
clock timezone PST -8
clock summer-time PDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.10.200.1 172.10.200.99
ip dhcp excluded-address 172.10.1.1 172.10.1.99
!
ip dhcp pool vlan200
network 172.10.200.0 255.255.255.0
dns-server 4.2.2.2
default-router 172.10.200.1
!
ip dhcp pool vlan1
network 172.10.1.0 255.255.255.0
dns-server 4.2.2.2
default-router 172.10.1.1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
! Incomplete
set peer 99.176.59.238
set transform-set HSNC
set pfs group2
match address 111
!
!
!
!
interface FastEthernet0/0
description Connection to AT&T
ip address dhcp
ip nat outside
speed 100
full-duplex
crypto map HSNC
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 172.10.1.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/1.200
description Guest Wireles
encapsulation dot1Q 200
ip address 172.10.200.1 255.255.255.0
ip nat inside
rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
ip nat inside source list 100 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 69.231.46.1
!
!
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
access-list 111 permit ip 69.231.46.244 255.255.255.255 99.176.59.238 255.255.255.255
!
!
!
!
!
!
!
!
!
line con 0
password 7 ***************
login
line aux 0
line vty 0 4
password 7 ***************
login
line vty 5 15
password 7 ***************
login
!
ntp clock-period 17180232
ntp server 64.125.78.85
!
end
--------------
ROUTER A |
--------------
:
CARC1.CR1.1#sh run
Building configuration...
Current configuration : 5280 bytes
!
! Last configuration change at 21:26:56 PST Wed Feb 11 2009
! NVRAM config last updated at 00:09:26 PST Wed Feb 11 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CARC1.CR1.1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******************
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.50.1 10.100.50.99
ip dhcp excluded-address 10.100.51.1 10.100.51.99
ip dhcp excluded-address 10.100.10.1 10.100.10.99
ip dhcp excluded-address 10.100.20.1 10.100.20.99
ip dhcp excluded-address 10.100.21.1 10.100.21.99
ip dhcp excluded-address 10.100.11.1 10.100.11.99
!
ip dhcp pool VoIP
network 10.100.50.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.50.1
option 150 ip 10.100.50.2
!
ip dhcp pool Vonage
network 10.100.51.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.51.1
!
ip dhcp pool Wireless
network 10.100.20.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.20.1
!
ip dhcp pool Guest_Wireless
network 10.100.21.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.21.1
!
ip dhcp pool Servers
network 10.100.10.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.10.1
!
ip dhcp pool Workstations
network 10.100.11.0 255.255.255.0
dns-server 4.2.2.2
default-router 10.100.11.1
!
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC 10 ipsec-isakmp
! Incomplete
set peer 69.231.46.244
set transform-set HSNC
set pfs group2
match address 111
!
!
!
!
interface FastEthernet0/0
description Connection to AT&T
ip address dhcp
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
speed 100
full-duplex
crypto map HSNC
!
interface FastEthernet1/0
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/1
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/2
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/3
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/4
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/5
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/6
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/7
description VoIP Ports
switchport access vlan 50
spanning-tree portfast
!
interface FastEthernet1/8
description Uplink to SW1
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet1/9
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1/10
description Vonage Port
switchport access vlan 51
spanning-tree portfast
!
interface FastEthernet1/11
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1/12
spanning-tree portfast
!
interface FastEthernet1/13
spanning-tree portfast
!
interface FastEthernet1/14
spanning-tree portfast
!
interface FastEthernet1/15
switchport access vlan 11
spanning-tree portfast
!
interface Vlan1
description Private Lan
ip address 10.100.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description IPTV Vlan
ip address 10.100.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan11
description VM Vlan
ip address 10.100.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Wireless Vlan
ip address 10.100.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan21
description Guest Wireless
ip address 10.100.21.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
interface Vlan50
description VoIP Vlan
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan51
description Vonage Vlan
ip address 10.100.51.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.100.10.254 21 99.176.59.238 21 extendable
ip nat inside source static tcp 10.100.50.2 80 99.176.59.238 80 extendable
!
access-list 100 permit ip 10.100.0.0 0.0.255.255 any
access-list 111 permit ip 99.176.59.238 255.255.255.255 69.231.46.244 255.255.255.255
snmp-server community public RO
snmp-server host 10.100.11.253 public
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 ******************
login
line vty 5 15
password 7 ******************
login
!
ntp clock-period 17179762
ntp server 64.125.78.85
!
end
---------------
ROUTER B: |
---------------
2600_Home#sh run
Building configuration...
Current configuration : 2387 bytes
!
! Last configuration change at 09:53:09 PST Wed Feb 11 2009
! NVRAM config last updated at 09:53:12 PST Wed Feb 11 2009
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2600_Home
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-26
boot-end-marker
!
enable secret 5 ***************
enable password 7 ***************
!
clock timezone PST -8
clock summer-time PDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.10.200.1 172.10.200.99
ip dhcp excluded-address 172.10.1.1 172.10.1.99
!
ip dhcp pool vlan200
network 172.10.200.0 255.255.255.0
dns-server 4.2.2.2
default-router 172.10.200.1
!
ip dhcp pool vlan1
network 172.10.1.0 255.255.255.0
dns-server 4.2.2.2
default-router 172.10.1.1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
! Incomplete
set peer 99.176.59.238
set transform-set HSNC
set pfs group2
match address 111
!
!
!
!
interface FastEthernet0/0
description Connection to AT&T
ip address dhcp
ip nat outside
speed 100
full-duplex
crypto map HSNC
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 172.10.1.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/1.200
description Guest Wireles
encapsulation dot1Q 200
ip address 172.10.200.1 255.255.255.0
ip nat inside
rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
ip nat inside source list 100 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 69.231.46.1
!
!
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
access-list 111 permit ip 69.231.46.244 255.255.255.255 99.176.59.238 255.255.255.255
!
!
!
!
!
!
!
!
!
line con 0
password 7 ***************
login
line aux 0
line vty 0 4
password 7 ***************
login
line vty 5 15
password 7 ***************
login
!
ntp clock-period 17180232
ntp server 64.125.78.85
!
end
ASKER
yes that incomplete -this part is because currently the access-lists 111 are not created so I can have internet at both locations.
I think access list 111 is causing the problem here
It should be the private traffic you are encrypting rather than the Public IP peers on each side...
it should look more like...
for the first router
access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255
for the secound router
access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
with the access list in this way , the private traffic gets encrypted and all the internet traffic gets natted as per usual.
It should be the private traffic you are encrypting rather than the Public IP peers on each side...
it should look more like...
for the first router
access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255
for the secound router
access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
with the access list in this way , the private traffic gets encrypted and all the internet traffic gets natted as per usual.
ASKER
When I do it that way the VPN doesnt connect. When doing a debug and an extended ping nothing comes on the screen to show any issues at either end. But when I put the public IP's in VPN connects and works briefly.
ASKER
CARC1.CR1.1#sh crypto isakmp sa
dst src state conn-id slot status
69.231.46.244 99.176.59.238 QM_IDLE 6 0 ACTIVE
CARC1.CR1.1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: HSNC, local addr 99.176.59.238
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 69.231.46.244 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2736, #pkts encrypt: 2736, #pkts digest: 2736
#pkts decaps: 2657, #pkts decrypt: 2657, #pkts verify: 2657
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x37D484E6(936674534)
inbound esp sas:
spi: 0xC346450F(3276162319)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4465634/3216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37D484E6(936674534)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4465622/3216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
dst src state conn-id slot status
69.231.46.244 99.176.59.238 QM_IDLE 6 0 ACTIVE
CARC1.CR1.1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: HSNC, local addr 99.176.59.238
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 69.231.46.244 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2736, #pkts encrypt: 2736, #pkts digest: 2736
#pkts decaps: 2657, #pkts decrypt: 2657, #pkts verify: 2657
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x37D484E6(936674534)
inbound esp sas:
spi: 0xC346450F(3276162319)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4465634/3216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37D484E6(936674534)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4465622/3216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
This part is a bit odd , as there should be actual networks shown here , not 0.0.0.0s
Is this what you see when you put in the public IPs as the transformed set?
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
This part is a bit odd , as there should be actual networks shown here , not 0.0.0.0s
Is this what you see when you put in the public IPs as the transformed set?
With the following config, it should work fine...
______________________
ROUTER A:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC local-address FastEthernet0/0
crypto map HSNC 10 ipsec-isakmp
set peer 69.231.46.244
set transform-set HSNC
match address 111
access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255
( also crypto map put in FA 0/0)
-------------------------- ---------- ---------- ---------- ---------- --
ROUTER B:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
crypto map HSNC local-address FastEthernet0/0
set peer 99.176.59.238
set transform-set HSNC
match address 111
access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
( also crypto map put in FA 0/0)
can you try this, then do extended ping and show us output of , sh crpyto isakmp sa
______________________
ROUTER A:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC local-address FastEthernet0/0
crypto map HSNC 10 ipsec-isakmp
set peer 69.231.46.244
set transform-set HSNC
match address 111
access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255
( also crypto map put in FA 0/0)
--------------------------
ROUTER B:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
crypto map HSNC local-address FastEthernet0/0
set peer 99.176.59.238
set transform-set HSNC
match address 111
access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
( also crypto map put in FA 0/0)
can you try this, then do extended ping and show us output of , sh crpyto isakmp sa
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, when I do sh crypto ipsec sa I see all zeros using public ip's. Yet I am able to ping inside private networks on both ends.
Ok I will give this a try and post it here soon.
Ok I will give this a try and post it here soon.
yes i think adjusting access list 100 is the key here -- didnt realise you were natting all at the start.
ASKER
So I will have both access-list 100 and 111?
yes
with access-list 100 , the adjusted made is so that any traffic between your private networks is not natted, this is so the crypto map works
if you adjust access-list 100 , and do the previous config i showed -- im very sure it will work.
with access-list 100 , the adjusted made is so that any traffic between your private networks is not natted, this is so the crypto map works
if you adjust access-list 100 , and do the previous config i showed -- im very sure it will work.
ASKER
That fixed the problem, Thank you so much.
CARC1.CR1.1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: HSNC, local addr 99.176.59.238
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/ 0)
remote ident (addr/mask/prot/port): (172.10.0.0/255.255.0.0/0/ 0)
current_peer 69.231.46.244 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x5F90EB87(1603332999)
inbound esp sas:
spi: 0x3769118F(929632655)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4592343/3560)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5F90EB87(1603332999)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4592341/3560)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
CARC1.CR1.1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: HSNC, local addr 99.176.59.238
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/
remote ident (addr/mask/prot/port): (172.10.0.0/255.255.0.0/0/
current_peer 69.231.46.244 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x5F90EB87(1603332999)
inbound esp sas:
spi: 0x3769118F(929632655)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4592343/3560)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5F90EB87(1603332999)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: HSNC
sa timing: remaining key lifetime (k/sec): (4592341/3560)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ASKER
I have another question if you may know and/or have time. The reason for the vpn is I am trying to connect a cisco 7940g ip phone from my friends house to my house. I am running cisco call manager express on a 1760 router. Is there anything special I need to do for the VPN to make that work? Or should the phone automatically connect to my CME since we are connected via VPN?
ASKER
I had to add option 150 ip (ip to CME) and everything worked great. Thanks for the help.
One thing I noticed from your configuration.
crypto map HSNC 10 ipsec-isakmp
! Incomplete - this part!!
You should reconfigure your crypto settings.
I will try to simulate a network to see where this error come from, but until then, maybe you figure it out.