Link to home
Create AccountLog in
Avatar of kmt333
kmt333Flag for United States of America

asked on

Cisco 12.4 site-to-site VPN not coming up

Hello,

I am trying to create a simple site-to-site VPN between two older Cisco 1800 series routers using the 12.4 IOS.  It appears to me that everything is as it should be, but I cannot get traffic flowing across the VPN.  Both configs are attached printed below and attached.  I've included only the parts involved in the VPN.  Please help :)

KMT

//BEGIN: ROUTER "STATLER"//

Current configuration : 6720 bytes
!
version 12.4
!
hostname STATLER
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.39
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 204.11.200.27 204.11.200.28
   default-router 192.168.1.1
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco321 address 70.12.12.12 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 20 ipsec-isakmp
 set peer 70.12.12.12
 set transform-set myset
 match address 112
!
!
!
!
interface FastEthernet0
 description outside
 ip address 199.25.25.25 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 199.25.25.24
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source route-map nonat interface FastEthernet0 overload
!
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 130 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonat permit 10
 match ip address 130
!
//END STATLER//

//BEGIN ROUTER WALDORF//
Current configuration : 8689 bytes
!
version 12.4
!
hostname WALDORF
!
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.9.2 192.168.9.10
!
ip dhcp pool default
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1
   dns-server 64.81.159.2
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 4.2.2.4
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco321 address 199.25.25.25 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 5 ipsec-isakmp
 set peer 199.25.25.25
 set transform-set myset
 match address 110
!
bridge irb
!
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 70.12.12.12 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mymap
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 no ip address
 ip mtu 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.9.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 70.62.6.221
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip dns server
!
logging trap debugging
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit esp any any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 permit tcp any any eq 8001
access-list 102 deny   ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny   ip 192.168.9.0 0.0.0.255 192.1688.0 0.0.0.255
access-list 102 permit ip 192.168.9.0 0.0.0.255 any
access-list 110 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit udp any any range 10020 10083
access-list 111 permit udp any any range 5080 5081
access-list 188 permit ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 198 permit ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 deny   ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 remark SDM_ACL Category=16
access-list 199 deny   ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 deny   ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 199 permit ip 192.168.9.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
route-map SDM_RMAP_2 permit 1
 match ip address 199

//END WALDORF CONFIG//
statler.txt
waldorf.txt
Avatar of isaman07
isaman07
Flag of Canada image

Well i guess you are missing the no-nat entries.
Avatar of kmt333

ASKER

isaman07,

Can you be a bit more specific.  Which router and what I need?

Thanks,
KMT
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of kmt333

ASKER

thank you!  that was it.