We help IT Professionals succeed at work.
Get Started

Unable to ping hosts on either side of an ipsec vpn

cameron213
cameron213 asked
on
796 Views
Last Modified: 2012-05-11
I have created a site to site Ipsec vpn with a cisco 2610 and a linksys RV042. Running a show "crypto isakmp sa" command I get a qm_idle status and when running a "show crypto ipsec sa" I see that packets are being decrypted and encrypted. Also when running the "show ip access-lists" command I do have matches to that connection.

The problem is that I am unable to ping hosts from one network to another. For example, from the Cisco router in network 192.168.0.0 I am unable to ping the remote network 192.168.2.0 and vice versa.

I am not sure what is happening. Do I need to create a route to that remote network? I guess it could also be a problem with NAT or an ACL.

Here is what running-config shows:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 6 linksys address 173.x.x.x
!

!
crypto ipsec transform-set FirstStep esp-3des esp-md5-hmac
!

crypto map FirstStep 1 ipsec-isakmp
set peer 173.x.x.x
set transform-set FirstStep
set pfs group2
match address 110
!

interface FastEthernet0/0
ip address 192.168.0.200 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!

interface FastEthernet0/1
ip address 70.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map FirstStep
!

interface Serial0/2
ip address 192.168.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
service-module t1 clock source internal
service-module t1 timeslots 1-24
!

router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 70.0.0.0
network 192.168.0.0
network 192.168.10.0
default-information originate
no auto-summary
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.91.x.x
!

!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NONAT_NAT interface FastEthernet0/1 overload
!

ip access-list extended nonat_nat
remark No NAT local network to remote vpn network
deny ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
remark NAT local network to Internet
permit ip 192.168.0.0 0.0.255.255 any
!

access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
!

!
!

route-map NONAT_NAT permit 1
match ip address nonat_nat
!

!
!

control-plane
!

!
!

line con 0
password 7 06351B205E42001F11
logging synchronous
login
line aux 0
line vty 0 3
logging synchronous
login local
line vty 4
password 7 00370707165702001B
logging synchronous
login local
!

ntp clock-period 17208400
ntp server 192.168.0.103
!

end
**********************************************

I am not sure if this matters or not, but our company has purchased several public IP addresses that we have assigned to internal devices. As you can see in the network diagram, in the 192.168.0.0 network, the Cisco router has an IP address on the fa0/1 interface that connects to the modem of 70.210.x.x. , while the same interface on the modem that connects to the Cisco has an private address of 10.1.10.1.

The same thing happens in the 192.168.2.0 network. Could this cause problems with other things?

 I do notice that I am able to ping fine to the internet from the Cisco Router in the 192.168.0.0 network. However, if a PC in the same network 192.168.0.0 network pings the internet a ping packet gets lost or is not returned, thus resulting in an 20% loss.

Any ideas and suggestions are appreciated,
thanks


networkt-diagram.jpg
Comment
Watch Question
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This problem has been solved!
Unlock 2 Answers and 16 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE