Cisco to Cisco vpn cannot ping internal interfaces

Hi, I am trying to setup a vpn between two sites one a Cisco 827 and the other a Cisco 857. Both are connected to the Internet via adsl. I have established a tunnel and from each router I can ping the external interfaces but not the internal ones.

Can you please help me get this working thanks?

I have attached the conf from both routers minus the passwords and real IPs


network setup
192.168.41.252-|-router-gw01pl|-172.228.155.114--------Internet----------172.228.57.63|-router-gol|-192.168.0.253

from router-gw01pl cisco 857  ping 172.228.57.63   ok
from router-gw01pl cisco 857  ping 192.168.0.253   timeout

from router-gol cisco 827 ping172.228.155.114 ok
from router-gol cisco 827 ping192.168.41.252 timeout



######## router-gw01pl cisco 857 ########
show crypto isakmp sa
dst             src             state          conn-id slot status
172.228.155.114 172.228.57.63   QM_IDLE           2009    0 ACTIVE

show crypto engine connections active
   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   15 Di0        IPsec DES+MD5                   0      342 172.228.155.114
   16 Di0        IPsec DES+MD5                   0        0 172.228.155.114
 2009 Di0        IKE   MD5+DES                   0        0 172.228.155.114

show ip route (gw-01pl)
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.41.0/24 is directly connected, BVI1
S    192.168.0.0/24 is directly connected, Dialer0
     172.228.0.0/32 is subnetted, 2 subnets
C       172.228.7.1 is directly connected, Dialer0
C       172.228.155.114 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0



###### router-gol cisco 827 ######
show crypto isakmp sa
dst             src             state          conn-id slot
172.228.155.114 172.228.57.63   QM_IDLE              1    0

show crypto engine connections active
  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB        0        0
2000 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB        0        0
2001 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB     1506        0

show ip route (gol)
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S    192.168.41.0/24 is directly connected, Dialer0
C    192.168.0.0/24 is directly connected, Ethernet0
     172.228.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.228.7.1/32 is directly connected, Dialer0
C       172.228.57.0/24 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

cisco-857.txt
cisco-827.txt
LVL 4
bwilks99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
HI

The problem there is bad nat config, you need:

hostname gw-01pl
no ip nat source static 192.168.41.0 192.168.0.0 route-map nonat
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bwilks99Author Commented:
hi thanks for the input I have changed the nat config but I can still not ping from either end.
0
Istvan KalmarHead of IT Security Division Commented:
please provide us:

sh cry ips sa...


and please ping from PC, not from router!
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

bwilks99Author Commented:
Hi, here is the output I tried from a computer instead of the router and I can ping I also tried to RDP to the same server that I could ping but no luck do you think this could be an mtu setting.


gw-01pl#show crypto ipsec sa

interface: Dialer0
    Crypto map tag: to-site2, local addr 172.228.155.114

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 172.228.57.63 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 2179, #pkts decrypt: 2179, #pkts verify: 2179
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.228.155.114, remote crypto endpt.: 172.228.57.63
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xB9D1CD14(3117534484)

     inbound esp sas:
      spi: 0x767D726E(1987932782)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Motorola SEC 1.0:15, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4440979/10005)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB9D1CD14(3117534484)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Motorola SEC 1.0:16, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4441204/9988)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: to-site2, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 172.228.57.63 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 172.228.57.63
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
gw-01pl#
0
Istvan KalmarHead of IT Security Division Commented:
it is working..

  #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 2179, #pkts decrypt: 2179, #pkts verify: 2179

Please reload the router and retry
0
bwilks99Author Commented:
I wr and reloaded both routers (and restart the pc) and I can ping 192.168.0.2 and 192.168.0.253 but not rdp or telnet them.

what do you think
0
bwilks99Author Commented:
Hi I did some debug and here is the reason; I will take a look at the access-lists.

1 01:44:19.899: IP: s=192.168.41.51 (Dialer0), d=192.168.0.2, len 64, access denied
0
bwilks99Author Commented:
Hi, Can you give some advice, I can ping both ways but not run rdp telnet etc. as the above comment I am getting access denied. I think the problem is here  ip access-group 102 in from the 857 I tried a few thing but could not get it to work. What do you suggest?

!
interface BVI1
 ip address 192.168.41.252 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
0
bwilks99Author Commented:
Hi ikalmar,

I is still not working can you give me any help with the access-lists?

thanks
0
Istvan KalmarHead of IT Security Division Commented:
did you reloaded the routers?
0
bwilks99Author Commented:
Hi I have restarted the routers I think the problem is ip access-group 102 in there is no accesslist 102 I have tried a few things but no luck.
0
bwilks99Author Commented:
Here is an update; I have looked at the access-lists but cannot frind the problem thanks in advance.

network setup
host A|192.168.41.252-|-router A-|-172.228.155.114--Internet--172.228.57.63|-router B|-192.168.0.252|host B

host A = 192.168.41.53
host B = 192.168.0.3

1. From A I can ping B but cannot RDP
2. From B I can ping A and RDP

I can see there is a problem on Router B when I try RDP
*Mar  1 00:19:39.435: IP: s=192.168.41.53 (Dialer0), d=192.168.0.3, len 48, access denied
*Mar  1 00:19:39.443:     TCP src=4063, dst=3389, seq=2670710367, ack=0, win=65535 SYN

Router B cisco 827
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 80 172.228.57.63 80 extendable
ip nat inside source static tcp 192.168.0.3 25 172.228.57.63 25 extendable
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 105 deny   ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 110 permit tcp any host 172.228.57.63 eq www
access-list 110 permit tcp any host 172.228.57.63 eq smtp
access-list 110 permit udp host 172.228.155.114 host 172.228.57.63 eq isakmp
access-list 110 permit tcp host 172.228.155.114 host 172.228.57.63 eq 50
access-list 110 permit udp host 172.228.155.114 host 172.228.57.63 eq 50
access-list 110 permit esp host 172.228.155.114 host 172.228.57.63
access-list 110 permit tcp any host 172.228.57.63 eq telnet
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any eq domain any
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 deny   ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 105


Router A Cisco 857
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.41.252 23 interface Dialer0 23
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.41.0 0.0.0.255
access-list 2 permit 172.228.57.63
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.41.0 0.0.0.255
access-list 101 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.41.0 0.0.0.255 any
access-list 110 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit udp host 172.228.57.63 host 172.228.155.114 eq isakmp
access-list 110 permit tcp host 172.228.57.63 host 172.228.155.114 eq 50
access-list 110 permit udp host 172.228.57.63 host 172.228.155.114 eq 50
access-list 110 permit esp host 172.228.57.63 host 172.228.155.114
access-list 110 permit tcp host 172.228.57.63 any eq telnet
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any echo-reply
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
access-list 110 permit icmp any any echo
access-list 110 deny   ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 105








 
0
bwilks99Author Commented:
ikalmar thanks for your help moving towards a solution. I can ping but not use any apps. I will post a new question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.