?
Solved

Cisco to Cisco vpn cannot ping internal interfaces

Posted on 2010-04-04
13
Medium Priority
?
425 Views
Last Modified: 2012-05-09
Hi, I am trying to setup a vpn between two sites one a Cisco 827 and the other a Cisco 857. Both are connected to the Internet via adsl. I have established a tunnel and from each router I can ping the external interfaces but not the internal ones.

Can you please help me get this working thanks?

I have attached the conf from both routers minus the passwords and real IPs


network setup
192.168.41.252-|-router-gw01pl|-172.228.155.114--------Internet----------172.228.57.63|-router-gol|-192.168.0.253

from router-gw01pl cisco 857  ping 172.228.57.63   ok
from router-gw01pl cisco 857  ping 192.168.0.253   timeout

from router-gol cisco 827 ping172.228.155.114 ok
from router-gol cisco 827 ping192.168.41.252 timeout



######## router-gw01pl cisco 857 ########
show crypto isakmp sa
dst             src             state          conn-id slot status
172.228.155.114 172.228.57.63   QM_IDLE           2009    0 ACTIVE

show crypto engine connections active
   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   15 Di0        IPsec DES+MD5                   0      342 172.228.155.114
   16 Di0        IPsec DES+MD5                   0        0 172.228.155.114
 2009 Di0        IKE   MD5+DES                   0        0 172.228.155.114

show ip route (gw-01pl)
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.41.0/24 is directly connected, BVI1
S    192.168.0.0/24 is directly connected, Dialer0
     172.228.0.0/32 is subnetted, 2 subnets
C       172.228.7.1 is directly connected, Dialer0
C       172.228.155.114 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0



###### router-gol cisco 827 ######
show crypto isakmp sa
dst             src             state          conn-id slot
172.228.155.114 172.228.57.63   QM_IDLE              1    0

show crypto engine connections active
  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB        0        0
2000 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB        0        0
2001 Dialer0              172.228.57.63   set    HMAC_MD5+DES_56_CB     1506        0

show ip route (gol)
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S    192.168.41.0/24 is directly connected, Dialer0
C    192.168.0.0/24 is directly connected, Ethernet0
     172.228.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.228.7.1/32 is directly connected, Dialer0
C       172.228.57.0/24 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

cisco-857.txt
cisco-827.txt
0
Comment
Question by:bwilks99
  • 9
  • 4
13 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 1500 total points
ID: 29757251
HI

The problem there is bad nat config, you need:

hostname gw-01pl
no ip nat source static 192.168.41.0 192.168.0.0 route-map nonat
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload

0
 
LVL 4

Author Comment

by:bwilks99
ID: 29758680
hi thanks for the input I have changed the nat config but I can still not ping from either end.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 29758945
please provide us:

sh cry ips sa...


and please ping from PC, not from router!
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
LVL 4

Author Comment

by:bwilks99
ID: 29760741
Hi, here is the output I tried from a computer instead of the router and I can ping I also tried to RDP to the same server that I could ping but no luck do you think this could be an mtu setting.


gw-01pl#show crypto ipsec sa

interface: Dialer0
    Crypto map tag: to-site2, local addr 172.228.155.114

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 172.228.57.63 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 2179, #pkts decrypt: 2179, #pkts verify: 2179
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.228.155.114, remote crypto endpt.: 172.228.57.63
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xB9D1CD14(3117534484)

     inbound esp sas:
      spi: 0x767D726E(1987932782)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Motorola SEC 1.0:15, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4440979/10005)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB9D1CD14(3117534484)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Motorola SEC 1.0:16, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4441204/9988)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: to-site2, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 172.228.57.63 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 172.228.57.63
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
gw-01pl#
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 29761572
it is working..

  #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 2179, #pkts decrypt: 2179, #pkts verify: 2179

Please reload the router and retry
0
 
LVL 4

Author Comment

by:bwilks99
ID: 29765080
I wr and reloaded both routers (and restart the pc) and I can ping 192.168.0.2 and 192.168.0.253 but not rdp or telnet them.

what do you think
0
 
LVL 4

Author Comment

by:bwilks99
ID: 29775657
Hi I did some debug and here is the reason; I will take a look at the access-lists.

1 01:44:19.899: IP: s=192.168.41.51 (Dialer0), d=192.168.0.2, len 64, access denied
0
 
LVL 4

Author Comment

by:bwilks99
ID: 30598999
Hi, Can you give some advice, I can ping both ways but not run rdp telnet etc. as the above comment I am getting access denied. I think the problem is here  ip access-group 102 in from the 857 I tried a few thing but could not get it to work. What do you suggest?

!
interface BVI1
 ip address 192.168.41.252 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
0
 
LVL 4

Author Comment

by:bwilks99
ID: 32642476
Hi ikalmar,

I is still not working can you give me any help with the access-lists?

thanks
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 32642642
did you reloaded the routers?
0
 
LVL 4

Author Comment

by:bwilks99
ID: 32650538
Hi I have restarted the routers I think the problem is ip access-group 102 in there is no accesslist 102 I have tried a few things but no luck.
0
 
LVL 4

Author Comment

by:bwilks99
ID: 32666934
Here is an update; I have looked at the access-lists but cannot frind the problem thanks in advance.

network setup
host A|192.168.41.252-|-router A-|-172.228.155.114--Internet--172.228.57.63|-router B|-192.168.0.252|host B

host A = 192.168.41.53
host B = 192.168.0.3

1. From A I can ping B but cannot RDP
2. From B I can ping A and RDP

I can see there is a problem on Router B when I try RDP
*Mar  1 00:19:39.435: IP: s=192.168.41.53 (Dialer0), d=192.168.0.3, len 48, access denied
*Mar  1 00:19:39.443:     TCP src=4063, dst=3389, seq=2670710367, ack=0, win=65535 SYN

Router B cisco 827
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 80 172.228.57.63 80 extendable
ip nat inside source static tcp 192.168.0.3 25 172.228.57.63 25 extendable
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 105 deny   ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 110 permit tcp any host 172.228.57.63 eq www
access-list 110 permit tcp any host 172.228.57.63 eq smtp
access-list 110 permit udp host 172.228.155.114 host 172.228.57.63 eq isakmp
access-list 110 permit tcp host 172.228.155.114 host 172.228.57.63 eq 50
access-list 110 permit udp host 172.228.155.114 host 172.228.57.63 eq 50
access-list 110 permit esp host 172.228.155.114 host 172.228.57.63
access-list 110 permit tcp any host 172.228.57.63 eq telnet
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any eq domain any
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 deny   ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 105


Router A Cisco 857
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.41.252 23 interface Dialer0 23
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.41.0 0.0.0.255
access-list 2 permit 172.228.57.63
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.41.0 0.0.0.255
access-list 101 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny   ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.41.0 0.0.0.255 any
access-list 110 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit udp host 172.228.57.63 host 172.228.155.114 eq isakmp
access-list 110 permit tcp host 172.228.57.63 host 172.228.155.114 eq 50
access-list 110 permit udp host 172.228.57.63 host 172.228.155.114 eq 50
access-list 110 permit esp host 172.228.57.63 host 172.228.155.114
access-list 110 permit tcp host 172.228.57.63 any eq telnet
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any echo-reply
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
access-list 110 permit icmp any any echo
access-list 110 deny   ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 105








 
0
 
LVL 4

Author Closing Comment

by:bwilks99
ID: 32821967
ikalmar thanks for your help moving towards a solution. I can ping but not use any apps. I will post a new question.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question