?
Solved

One Cisco 2800 and two 871 IOS 12.4 Routers VPN Tunnels Up cannot access or ping between them

Posted on 2011-10-09
1
Medium Priority
?
732 Views
Last Modified: 2012-05-12
Hello, I have a Cisco 2800 IOS 12.4 router setup as the head end of a point to multi-point VPN network with one each Cisco 871 IOS 12.4 routers at two separate remote locations. Each location has Comcast Internet. The routers are all configured and have access to the Internet at each location. The problem is I cannot ping or access the LAN between the routers. All the interfaces including Tunnels are up so I think it may be NAT here are the configs

CISCO 2800 IOS 12.4 ROUTER HEAD END
Current configuration : 5833 bytes
!
! Last configuration change at 07:08:07 MST Sun Oct 9 2011 by Admin
! NVRAM config last updated at 07:08:09 MST Sun Oct 9 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO2800HEADEND
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IDj5$v4MYtN1vnZeULbDa8ZRvn1
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 75.75.75.75 8.8.8.8
   domain-name ourdomain.local
!
!
no ip bootp server
no ip domain lookup
ip name-server 75.75.75.75
ip name-server 8.8.8.8
login block-for 30 attempts 5 within 1
login delay 5
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
crypto pki trustpoint TP-self-signed-364559XXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-364559XXXX
 revocation-check none
 rsakeypair TP-self-signed-364559XXXX
!
!
crypto pki certificate chain TP-self-signed-364559XXXX
 certificate self-signed 01
  XXXXXXXX 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 XXXXXXXX
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363435 35393333 3834301E 170D3131 30383139 31363532
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343535
  39333338 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A0AA 32E23283 42BC7DEA D19AA042 F971B386 5BA042F7 A887EBCF DE117D09
  F8194638 819F2B88 6660C078 XXXXXXXX 5B88B1B0 DD8347EC 188727D3 F373111A
  9ED6EF6B 0FEADEC3 B70A00CF E54B42DD C77AD8FD E2FBC380 21521CF1 790306CE
  BC08AE4C 2A63DC32 D099D6B7 9D085470 89A49A18 CFD5B49E 4B1FEDE1 99CD5587
  71AB0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A424552 4E414C49 4C4C4F30 1F060355 1D230418 30168014
  B2E14414 0412C688 3A83E24F 4B6EE2B7 1637D486 301D0603 551D0E04 160414B2
  E1441404 12C6883A 83E24F4B 6EE2B716 37D48630 0D06092A 864886F7 0D010104
  05000381 81001B1E 24BA533F 8013CA13 EB90F2C4 125C9220 97AE9CB2 03236D28
  5223AD01 E85B2136 EBFA9F94 1CB404EE 0368A01E 6573FAFF 151F11D8 ADDCF88B
  66CE8A67 BCA2C9EE 8CAB4D02 9DFEA879 3A29E4A9 C7680158 4F0C37FC 02392A49
  XXXXXXXX F22EB56C 44F1D317 07F76F13 EE0D8F5C 5CD537AE 833EB4C7 XXXXXXXX
  9E3B5A33 C4C0
        quit
!
!
username xxxxx privilege 15 secret 5 $1$BPFq$KHGxxxxmrFy7.nGVxxxxJD/
archive
 log config
  hidekeys
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key mysecretkey address 173.000.000.85
crypto isakmp key mysecretkey address 173.000.000.165
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
!
crypto ipsec profile PROF
 set transform-set tset
!
!
!
!
!
ip ssh authentication-retries 5
ip ssh port 5555 rotary 1
ip ssh version 2
!
!
!
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Belen VPN
 ip address 10.20.30.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 173.000.000.85
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
!
interface Tunnel1
 description Los Lunas VPN
 ip address 10.20.30.5 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 173.000.000.165
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
!
interface FastEthernet0/0
 description $ES_WAN$
 ip address 75.000.000.169 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1320
 duplex auto
 speed auto
 no keepalive
 no cdp enable
!
router ospf 1
 log-adjacency-changes
 network 10.20.30.0 0.0.0.255 area 0
 network 192.168.3.0 0.0.0.255 area 0
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.000.000.174
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 3700
ip nat inside source route-map NONAT_NAT interface FastEthernet0/0 overload
!
ip access-list extended nonat_nat
 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!
no logging trap
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 152 remark deny_ssh_default_port_and_telnet
access-list 152 deny   tcp any any eq 22
access-list 152 deny   tcp any any eq telnet
access-list 152 permit tcp any gt 1024 any gt 1024
no cdp run
!
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
|=================================================================|
CISCO2800HEADEND - Authorized Personel Only
Internal IP: 192.168.3.1
External IP: 75.000.000.169 - Comcast
Hostname $(hostname)
Domain $(domain)
Line $(line)
|=================================================================|
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 152 in
 privilege level 15
 rotary 1
 transport input ssh
!
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17180242
ntp server 192.5.41.40
!
end

Open in new window


CISCO 871 IOS 12.4 ROUTER LOCATION ONE
Current configuration : 5424 bytes
!
! Last configuration change at 13:59:29 MST Sat Oct 8 2011
! NVRAM config last updated at 14:02:51 MST Sat Oct 8 2011
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO871LOC-ONE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$xDj5$v4MxxS1KnxxULbxx8ZRvn1
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
!
crypto pki trustpoint TP-self-signed-2502XXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2502XXXXXX
 revocation-check none
 rsakeypair TP-self-signed-2502XXXXXX
!
!
crypto pki certificate chain TP-self-signed-2502XXXXXX
 certificate self-signed 01
  XXXXXXXX 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 XXXXXXXX
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32353032 30333836 3137301E 170D3032 30333033 32323030
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35303230
  33383631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008FF5 EA6FE28E 5A473FC2 DA10AA82 73FC3E80 A56CA021 097DE00B 30B49420
  9B098835 470E1B3F AC44A910 XXXXXXXX 5FC89AE6 6C0222D4 43C439BB A915D981
  B67ADC74 0B62CCE6 B42FF4C5 F16A59CE 8B80918A E8AE1A86 3A3A1962 3034309F
  55E507F7 F1F5305A 78338ADB 66CAE948 B77ECE0A 9E8B2A33 D5D17143 314F4BEE
  F5330203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 0542454C 454E301F 0603551D 23041830 1680141C F4B910E7
  7A513A07 5B6053F0 5EE86797 88185730 1D060355 1D0E0416 04141CF4 B910E77A
  513A075B 6053F05E E8679788 1857300D 06092A86 4886F70D 01010405 00038181
  0071104D 9C0AFA41 56D8A4CA 18FD0066 D166334D 9E455B50 5355E075 1BF510FD
  3527987A 1550C74A A3AECD37 3A7FD2C3 930E8CBB 2CEA9E30 C515F923 14BDF339
  0BDAB4B2 6B9602C9 0B6125CF F259C2CB CE826C68 ED5B3F23 5E2558B6 743C08C6
  XXXXXXXX 6C3C0E3D AD535EFF 706AF0EB BB085238 EBF24FC1 1605CF0C XXXXXXXX 5D
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.151 192.168.4.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 75.75.75.75 8.8.8.8
!
!
no ip bootp server
no ip domain lookup
ip domain name ourdomain.com
ip name-server 75.75.75.75
ip name-server 8.8.8.8
login block-for 30 attempts 5 within 1
login delay 5
login on-failure log
login on-success log
!
!
!
username xxxxx privilege 15 secret 5 $1xxPFqxxxxhttmrFxxxxGVxxMJD/
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key mysecretkey address 75.000.000.169
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
!
crypto ipsec profile PROF
 set transform-set tset
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh port 5555 rotary 1
ip ssh version 2
!
!
!
interface Tunnel0
 description HEADEND VPN
 ip address 10.20.30.6 255.255.255.252
 tunnel source FastEthernet4
 tunnel destination 75.000.000.169
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$
 ip address 173.000.000.85 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1320
!
router ospf 1
 log-adjacency-changes
 network 10.20.30.0 0.0.0.3 area 0
 network 192.168.4.0 0.0.0.255 area 0
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.000.000.86
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 3700
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
!
ip access-list extended nonat_nat
 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.4.0 0.0.0.255 any
!
no logging trap
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 152 remark deny_ssh_default_port_and_telnet
access-list 152 deny   tcp any any eq 22
access-list 152 deny   tcp any any eq telnet
access-list 152 permit tcp any gt 1024 any gt 1024
no cdp run
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
control-plane
!
banner motd ^C
|=================================================================|
CISCO871LOC-ONE - Authorized Personel Only
Internal IP: 192.168.4.1
External IP: 173.000.000.85 - Comcast
Hostname $(hostname)
Domain $(domain)
Line $(line)
|=================================================================|
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 152 in
 privilege level 15
 rotary 1
 transport input ssh
!
no scheduler max-task-time
scheduler allocate 20000 1000
ntp clock-period 17182072
ntp source FastEthernet4
ntp server 216.31.9.161
ntp server 173.203.122.111
end

Open in new window


CISCO 871 IOS 12.4 ROUTER LOCATION TWO
Current configuration : 5617 bytes
!
! Last configuration change at 16:24:10 mst Sat Oct 8 2011 by Admin
! NVRAM config last updated at 16:25:25 mst Sat Oct 8 2011 by Admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO871LOC-TWO
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$xxx/$rxxxWjxkxxxoLKXwxxxawL0
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone mst -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-9806XXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-9806XXXXX
 revocation-check none
 rsakeypair TP-self-signed-9806XXXXX
!
!
crypto pki certificate chain TP-self-signed-9806XXXXX
 certificate self-signed 01
  XXXXXXXX 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 XXXXXXXX
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39383036 33373434 35301E17 0D303230 33303130 30303731
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3938 30363337
  34343530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  94E078C5 46A78C64 6A6B26E5 XXXXXXXX 6678351D 30666FDF 59AA6D0A 50349D11
  B5BF4CB6 571812E9 48C5C6A1 DA305208 2B92F1B0 AC1C02E5 5E29C036 422040DB
  D14667FE A1A9A54B 69AB9B17 112D4D1D 605A0E2A B925CF97 25E3D744 4194F229
  751EF004 D701FFAA B6239AC1 1424D64C XXXXXXXX 9C8C8751 5B71756F 6C3D3D45
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 1482124C 4C50542E 42454C45 4E50542E 6C6F6361 6C301F06 03551D23
  04183016 8014E16D 6CFCEC4F C200D00E 9C5B268D F315AEE9 0180301D 0603551D
  0E041604 14E16D6C FCEC4FC2 00D00E9C 5B268DF3 15AEE901 80300D06 092A8648
  86F70D01 01040500 03818100 8081446F B246697A 2C989584 C6B5E26E 6330CFCB
  1A84985F B30ACC6D D71217D1 9561526B 00A04072 EB28D7ED D5E1EBD8 9268FF66
  FADB0E80 2097CA10 76919F62 306CAA04 83C45454 9354FD72 40852A2E E0A565F1
  XXXXXXXX 555A4777 2750E237 67C447C8 8C008C6D 204BCEC3 488212E6 XXXXXXXX
  2A320F36 89104055 XXXXXXXX
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.151 192.168.0.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 75.75.75.75 8.8.8.8
!
!
no ip bootp server
ip domain name ourdomain.local
ip name-server 75.75.75.75
ip name-server 8.8.8.8
login block-for 30 attempts 5 within 1
login delay 5
login on-failure log
login on-success log
!
!
!
username xxxxx privilege 15 secret 5 $1xxxfCNxxxxrW/DImV0xxxxq32xxUb1
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key mysecretkey address 75.000.000.169
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
!
crypto ipsec profile PROF
 set transform-set tset
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh port 5555 rotary 1
ip ssh version 2
!
!
!
interface Tunnel0
 description VPN to HEADEND
 ip address 10.20.30.2 255.255.255.252
 tunnel source FastEthernet4
 tunnel destination 75.000.000.169
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 173.000.000.165 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
router ospf 1
 log-adjacency-changes
 network 10.20.30.4 0.0.0.3 area 0
 network 192.168.0.0 0.0.0.255 area 0
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.000.000.166
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
!
ip access-list extended nonat_nat
 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
!
logging trap debugging
logging facility syslog
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 152 remark deny_ssh_default_port_and_telnet
access-list 152 deny   tcp any any eq 22
access-list 152 deny   tcp any any eq telnet
access-list 152 permit tcp any gt 1024 any gt 1024
no cdp run
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
control-plane
!
banner motd ^C
|=================================================================|
CISCO871LOC-ONE - Authorized Personel Only
Internal IP: 192.168.0.1
External IP: 173.000.000.165 - Comcast
Hostname $(hostname)
Domain $(domain)
Line $(line)
|=================================================================|
^C
alias exec 1 show crypto isa sa
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 152 in
 privilege level 15
 rotary 1
 transport input ssh
!
no scheduler max-task-time
scheduler allocate 20000 1000
scheduler interval 500
ntp clock-period 17182114
ntp source FastEthernet4
ntp server 216.31.9.161
ntp server 173.203.122.111
end

Open in new window

0
Comment
Question by:techsrx
1 Comment
 

Accepted Solution

by:
techsrx earned 0 total points
ID: 36939312
I figured it out, I removed ospf and used rip I also changed the tunnel ips to regular private network space /24 and it is working well now
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question