Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

1701 VPN to 1701

Status
Not open for further replies.
Tamlync

Tamlync

Technical User
Apr 9, 2002
5
0
0
GB
Hi,

I have 2x 1701 connected to a DSL line - that i require VPN access between ...

Network 1
192.168.1.x /24

Network 2
192.168.5.x /24

The 1701's work fine, they connect to the internet and also the VPN connects to each other.. The two 1701s can ping each other (using private lan IP's) but no other devices can connect to the remote network (nor ping each other icluding the remote router) - yet they can all connect to the internet .. I'm sure it's an easy mistake somewhere - but i'm really loosing hope of finding it without some help !

Config from one of the units follows (passwords and public ip's mask to protect the innocent!)

!
version 12.3
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxx
!
username admin privilege 0 password 7 xxxxxxxxx
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
no ip domain lookup
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 80.229.xx.xx
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 80.229.xx.xx
set peer 80.229.xx.xx
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
interface Tunnel0
ip address 172.0.0.1 255.255.255.0
ip mtu 1420
tunnel source 80.229.xx.xx
tunnel destination 80.229.xx.xx
crypto map SDM_CMAP_1
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
speed auto
no cdp enable
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxx@xxxx.xxx
ppp chap password 7 xxxxxx
crypto map SDM_CMAP_1
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip http server
ip http access-class 2
no ip http secure-server
!
!
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=20
access-list 100 permit icmp host 80.229.xx.xx host 80.229.xx.xx
access-list 100 permit ip host 80.229.xx.xx host 80.229.xx.xx
access-list 100 permit udp host 80.229.xx.xx host 80.229.xx.xx
access-list 100 permit tcp host 80.229.xx.xx host 80.229.xx.xx
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 112 permit ip any any
access-list 113 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
line vty 0 4
access-class 10 in
password 7 xxxxxxxx
login local
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
end



So what is wrong with that ??? help!

Thanks to whoever responds..

Tamlyn.
 
Sort by date Sort by votes
Ok .. so after a lot of searching i have come up with this fully working configuration - I'll post so others can see and hopefully it'll help them out in their time of need...

** However i would like a little bit of help if possible!
Could someone please post the correct access list or configuration to BLOCK all traffic to the internet - the only thing i want is for the VPN traffic between the sites - no internet traffic at all - i want it all redirected to 192.168.1.254 - Could you PLEASE help with that ??


Fully working config as follows (edited to protect some settings)

version 12.3
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 $1$JPR3$g1NLH.HMaZeuolaVkmw640
!
username admin privilege 0 password 7 xxxxx
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
no ip domain lookup
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 80.229.xxx.xxx
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 80.229.xx.xx
set peer 80.229.xx.xx
set transform-set SDM_TRANSFORMSET_1
match address 101
!
!
!
!
interface Tunnel0
ip address 172.0.0.1 255.255.255.0
ip mtu 1420
tunnel source 80.229.xx.xx
tunnel destination 80.229.xx.xx
crypto map SDM_CMAP_1
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
speed auto
no cdp enable
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password 7 xxxxx
crypto map SDM_CMAP_1
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip http server
ip http access-class 2
no ip http secure-server
!
!
!
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 0.0.0.0 255.255.255.0 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
line vty 0 4
access-class 10 in
password 7 xxxx
login local
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
end


Again - please help with blocking all internet traffic and just allowing the VPN - i would like all internet traffic to go via another router 192.168.1.254 which is at the other end of the vpn link of the config i have just posted..

Thanks!

Tamlyn.
 
Upvote 0 Downvote
So, if I understand correctly, you have two locations VPN'd together. Only one location is allowed internet access, and all traffic from both locations must go through that router to get to the outside world.

At the remote site, try removing NAT and set the vpn as your default route. Make sure that the NAT at the 'internet' router has the remote site's subnet in it's access list to allow it to translate.

I admit I haven't completely gone through your config yet, but that is the first thought in my mind to try.

BierHunter
CNE, MCSE, CCNP
 
Upvote 0 Downvote
Hi yes your right ..

I entered
"no ip nat outside" on interface Dialer 0 and that stopped all traffic from getting to the internet and just allowed traffic over the VPN...

As for the access to the internet - that was through a proxy server so just entered the address of the proxy into I.E. and away it went ..

Thanks for your reply...

Tamlyn.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
75
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
106
madwok
madwok
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
42
quazimotto
quazimotto
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
94
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
90
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top