Solved

Cannot ping inside interface through GRE

Posted on 2010-09-18
4
690 Views
Last Modified: 2012-05-10
Got a problem pinging from inside site A to SiteB, can ping the tunnel on the other side ok, but cant ping the inside ip's.
Site A cannot ping FastEthernet0/0 on SiteB, but it works from B to A.
Heres the codes from both sides, they are altered, ut should correspond with current config.
SITE A (Cisco 2851 v12.4)
RouterA#sh run
Building configuration...


Current configuration : 76200 bytes
!
! Last configuration change at 16:47:07 CDT Thu Sep 16 2010 by 
! NVRAM config last updated at 16:48:27 CDT Thu Sep 16 2010 by 
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname RouterA
!
boot-start-marker
boot system flash:/c2800nm-adventerprisek9-mz.124-24.T2.bin
boot system flash:/c2800nm-adventerprisek9-mz.124-20.T2.bin
boot-end-marker
!
logging message-counter syslog
logging monitor notifications
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
dot11 syslog
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name RouterA
ip inspect one-minute low 1
ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT realaudio
ip inspect name OUT h323
ip inspect name OUT ftp
ip inspect name OUT rtsp
ip inspect name IN smtp
ip inspect name IN ftp
ip inspect name IN tcp
ip inspect name IN udp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key PresharedRouterARouterBKey address 22.22.22.22
!
!
crypto ipsec transform-set cm-transformset-1 esp-des
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map cm-cryptomap 137 ipsec-isakmp
 description GRE IPsec Tunnel from RouterA to RouterB
 set peer 22.22.22.22
 set transform-set cm-transformset-1
 match address 137
 qos pre-classify
!
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
ip ssh version 1
!
!
!
!
!
!
!
!
interface Tunnel9037
 description GRE IPsec Tunnel from RouterB to RouterA
 bandwidth 1500
 ip address 10.250.190.1 255.255.255.0
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 qos pre-classify
 no clns route-cache
 tunnel source 11.11.11.11
 tunnel destination 22.22.22.22
 crypto map cm-cryptomap
!
interface Tunnel10000
 no ip address
!
interface GigabitEthernet0/0
 description Internal 10.11.x.x /16
 ip address 172.20.20.1 255.255.255.192
 ip flow ingress
 ip flow egress
 ip pim sparse-mode
 ip nat inside
 no ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no clns route-cache
!
interface GigabitEthernet0/1
 description RouterA DMZ!!!!!!!
 ip address 11.11.11.10 255.255.255.224
 ip access-group 181 in
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly
 ip policy route-map ACETMAP
 duplex auto
 speed auto
 no cdp enable
 no clns route-cache
!
interface FastEthernet0/0/0
 description To BT Internet
 bandwidth 10240
 ip address 11.11.11.11 255.255.255.224
 ip access-group Outside_In in
 ip access-group Inside_Out out
 no ip redirects
 no ip proxy-arp
 ip accounting output-packets
 ip pim sparse-mode
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 ip virtual-reassembly
 duplex full
 speed 100
 no clns route-cache
 crypto map cm-cryptomap
 crypto ipsec df-bit clear
 service-policy output VOICE
!
!
router eigrp 10
 redistribute static route-map STATICMAP
 network 10.0.0.0
 network 11.11.11.1 0.0.0.31
 network 172.20.20.0 0.0.0.63
 distribute-list 10 out
 no auto-summary
!
ip local policy route-map ACETMAP
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 11.11.11.1
no ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
!
ip pim rp-address 10.239.0.1
ip nat inside source list 180 interface FastEthernet0/0/0 overload
!
ip access-list extended Inside_Out
 deny   tcp any any eq 135 log
 permit tcp any any eq ftp log
 remark DHCP
 deny   tcp any any eq 67 log
 deny   udp any any eq bootps log
 deny   tcp any any eq 68 log
 deny   udp any any eq bootpc log
 remark TFTP
 deny   tcp any any eq 69 log
 deny   udp any any eq tftp log
 remark NETBIOS
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   udp any any eq netbios-ss log
 remark unencrypted LDAP
 deny   tcp any any eq 389 log
 deny   udp any any eq 389 log
 remark Microsoft SMB
 deny   tcp any any eq 445 log
 deny   udp any any eq 445 log
 remark AD Global Catalog
 deny   tcp any any eq 3268 log
 deny   tcp any any eq 3269 log
 remark Trojan Port
 deny   tcp any any eq 31337 log
 deny   udp any any eq 31337 log
 deny   tcp any any eq 31789 log
 deny   tcp any any eq 31790 log
 remark Allow all
 permit ip any any
ip access-list extended Outside_In
 remark VPN Incoming
 permit esp any any
 permit gre any any
 permit ahp any any
 permit udp any any eq isakmp
 permit udp any any eq 10000
 remark
 remark END ACL Outside_In
 permit udp any any eq non500-isakmp
 permit tcp any any eq 10000
 remark Deny Bogus source Addresses
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any
 remark Deny unneccessary ICMP Messages
 deny   icmp any any redirect log
 deny   icmp any any mask-request log
 permit icmp any any
 remark Deny Incoming Packect with our own Edge Router IP address as source
 deny   ip host 11.11.11.11 any log
 remark Site-Specific-ACL-Entries ~END~
 remark - - - - - - - - - - - - - - - - -
 deny   ip any any log
!
access-list 2 permit any
access-list 137 permit gre host 11.11.11.11 host 22.22.22.22
access-list 151 permit ip any any
access-list 151 permit icmp any any
access-list 151 remark
access-list 166 deny   tcp any any eq 139
access-list 166 deny   tcp any any eq 445
access-list 166 permit ip any any
access-list 177 permit tcp any any eq 1720
access-list 177 permit tcp any eq 1720 any
access-list 181 permit ip any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
!
scheduler allocate 20000 1000
ntp server 192.5.41.40
ntp server 192.5.41.41
end

RouterA#

Open in new window


SITE B (Cisco 2621 v12.2)
 
Building configuration...

Current configuration : 7433 bytes
!
! Last configuration change at 18:34:34 CDT Fri Sep 17 2010
! NVRAM config last updated at 17:23:45 CDT Thu Sep 16 2010
!
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname RouterB
!
no logging console
no logging monitor
no logging on
aaa new-model
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
ip domain-name RouterB
ip name-server 213.161.5.40
ip name-server 213.161.6.46
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT smtp
ip inspect name OUT realaudio
ip inspect name OUT h323
ip inspect name OUT ftp
ip inspect name OUT rtsp
ip inspect name IN smtp
ip inspect name IN http java-list 2
ip inspect name IN ftp
ip inspect name IN tcp
ip inspect name IN udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
policy-map global_policy
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key PresharedRouterARouterBKey address 11.11.11.11
crypto isakmp key PresharedOSLSiteBKey address 33.33.33.33
!
!
crypto ipsec transform-set cm-transformset-1 esp-des
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map cm-cryptomap 1 ipsec-isakmp
 description GRE IPsec Tunnel from RouterB to RouterA
 set peer 11.11.11.11
 set transform-set cm-transformset-1
 match address 100
crypto map cm-cryptomap 2 ipsec-isakmp
 description GRE IPsec Tunnel from SiteB to OSL25
 set peer 33.33.33.33
 set transform-set cm-transformset-1
 match address 101
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
 description GRE IPsec Tunnel from RouterB to RouterA
 bandwidth 1536
 ip address 10.250.190.2 255.255.255.0
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 crypto map cm-cryptomap
!
interface Tunnel2
 description GRE IPsec Tunnel from RouterB to RouterC
 bandwidth 1536
 ip address 10.250.200.2 255.255.255.0
 tunnel source 22.22.22.22
 tunnel destination 33.33.33.33
 crypto map cm-cryptomap
!
interface FastEthernet0/0
 description inside ethernet interface at RouterB
 ip address 10.190.0.1 255.255.0.0
 ip nat inside
 ip pim sparse-mode
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description outside interface at RouterB
 ip address 22.22.22.22 255.255.255.248
 ip access-group Outside_In in
 ip access-group Inside_Out out
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map cm-cryptomap
!
router eigrp 10
 network 10.190.0.0 0.0.255.255
 network 10.250.190.0 0.0.0.255
 network 10.250.200.0 0.0.0.255
 no auto-summary
 eigrp stub connected summary
 no eigrp log-neighbor-changes
!
ip nat inside source list 180 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 22.22.22.21
ip flow-export source FastEthernet0/0
ip flow-export version 5
no ip http server
ip pim bidir-enable
!
!
ip access-list extended Inside_Out
 deny   tcp any any eq 135 log
 permit tcp any any eq ftp log
 remark DHCP
 deny   tcp any any eq 67 log
 deny   udp any any eq bootps log
 deny   tcp any any eq 68 log
 deny   udp any any eq bootpc log
 remark TFTP
 deny   tcp any any eq 69 log
 deny   udp any any eq tftp log
 remark NETBIOS
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   udp any any eq netbios-ss log
 remark unencrypted LDAP
 deny   tcp any any eq 389 log
 deny   udp any any eq 389 log
 remark Microsoft SMB
 deny   tcp any any eq 445 log
 deny   udp any any eq 445 log
 remark AD Global Catalog
 deny   tcp any any eq 3268 log
 deny   tcp any any eq 3269 log
 remark Trojan Port
 deny   tcp any any eq 31337 log
 deny   udp any any eq 31337 log
 deny   tcp any any eq 31789 log
 deny   tcp any any eq 31790 log
 remark Allow all
 permit ip any any
ip access-list extended Outside_In
 remark VPN Incoming
 permit esp any any
 permit gre any any
 permit udp any any eq isakmp
 permit udp any any eq 10000
 permit udp any any eq 4500
 remark Deny Bogus source Addresses
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any
 remark Deny unneccessary ICMP Messages
 deny   icmp any any redirect log
 deny   icmp any any mask-request log
 permit icmp any any
 remark Deny Incoming Packect with our own Edge Router IP address as source
 deny   ip host 22.22.22.22 any log
 remark - - - - - - - - - - - - - - - - -
 remark Site-Specific-ACL-Entries ~BEGIN~
 remark Site-Specific-ACL-Entries ~END~
 remark - - - - - - - - - - - - - - - - -
 deny   ip any any log
 remark
 remark END ACL Outside_In
 remark Deny Bogus source Addresses
logging 10.100.3.105
logging 10.200.1.141
access-list 1 permit 10.250.190.0 0.0.0.255
access-list 1 permit 10.250.200.0 0.0.0.255
access-list 1 permit 10.190.0.0 0.0.255.255
access-list 2 permit any
access-list 100 permit gre host 22.22.22.22 host 11.11.11.11
access-list 101 permit gre host 62.139.45.122 host 33.33.33.33
access-list 180 permit ip 10.190.0.0 0.0.255.255 any
no cdp run
!
!
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
ntp clock-period 17180438
ntp server 192.5.41.41
ntp server 192.5.41.40
!
end

SiteB#

Open in new window

0
Comment
Question by:Skrotpels
  • 2
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
koudry earned 500 total points
ID: 33709068
-  Make sure VPN is working as expected (e.g. sh crypto sess)
-  I suggest you also try extended ping from A to B
- You need to make sure that your eigrp routing is working as expected by making sure you cover all the networks between the two sites.  I suspect you have a routing problem from A to B. You can turn on ip packet debugging (debug ip packet).

Please try the above suggestions and post the results back.

Thanks,

Koudry
0
 

Author Comment

by:Skrotpels
ID: 33715337
eigrp and crypto was all working good.
I added this to the config and it seems to be working now:
router eigrp 10
network 10.0.0.0 0.255.255.255
0
 

Author Closing Comment

by:Skrotpels
ID: 33715344
Had a missing routing in eigrp
0
 
LVL 10

Expert Comment

by:koudry
ID: 33715355
I am glad you got this working. Routing can be a pain.
Koudry
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ACS TACACS 2 39
pfSense IP Helper 4 89
Management Network in CIsco L2 Switch 3 29
Cisco ASA NAT question. 9 24
Let’s list some of the technologies that enable smooth teleworking. 
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now