Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 1812 VPN is up, but services are unavailable

Status
Not open for further replies.
tangostar

tangostar

MIS
Apr 21, 2004
166
CA
I have a Cisco 1812 in my central location, and 2 vpns connecting remote locations.
I can ping from one side to another and I can print in the remote locations, but the remote locations are unable to access services in the central location.
Any ideas?
 
Sort by date Sort by votes

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname proxy
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$5GmN$XINis9FFru4jcQhx7yW/o.
enable password 7 082D45400C59151B13051814387B
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
ip tcp path-mtu-discovery
no ip bootp server
no ip domain lookup
ip domain name xxx.com
ip name-server 64.201.167.193
ip name-server 207.54.98.226
ip name-server 209.162.224.10
ip name-server 209.162.224.2
ip ssh time-out 60
ip ssh authentication-retries 2
no ip ips deny-action ips-interface
ip ips notify SDEE
!
vty-async
!
username admin privilege 15 secret 5 $1$1D/i$BlF.IypwrsafgfgcNLtDjhH/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxx address 66.11.xx.xx no-xauth
crypto isakmp key xxxxx address 207.139.xxx.xxx no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set laval esp-3des esp-md5-hmac
crypto ipsec transform-set alpine esp-3des esp-sha-hmac
!
crypto map quebec 1 ipsec-isakmp
description Tunnel to Alpine crypto-map
set peer 207.139.xxx.xxx
set transform-set alpine
match address 100
crypto map quebec 2 ipsec-isakmp
description Tunnel to Laval crypto-map
set peer 66.11.xx.xx
set transform-set alpine
match address 102
!
!
!
interface Tunnel0
description tunnel to Alpine
no ip address
ip mtu 1454
tunnel source 66.225.xxx.xxx
tunnel destination 216.95.xxx.xx
crypto map quebec
!
interface Tunnel1
description tunel to Laval
no ip address
tunnel source 66.225.xxx.xxx
tunnel destination 207.164.xxx.xx
tunnel path-mtu-discovery
crypto map quebec
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface FastEthernet0
description Terago$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 66.225.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 10
full-duplex
crypto map quebec
!
interface FastEthernet1
description WOW$ETH-LAN$
ip address 209.162.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.6 255.255.255.0
ip helper-address 10.0.0.22
ip mask-reply
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip kerberos source-interface FastEthernet0
ip classless
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 66.225.149.214 permanent
ip route 10.0.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.0.0 255.255.255.0 Tunnel1 permanent
ip route 192.168.123.0 255.255.255.0 Tunnel0 permanent
!
!
ip http server
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet1 overload
ip nat inside source static tcp 10.0.0.20 443 66.225.xx.xxx 443 extendable
ip nat inside source static tcp 10.0.0.2 1723 66.225.xxx.xxx 1723 extendable
ip nat inside source static tcp 10.0.0.21 22 66.225.xxx.xxx 22 extendable
ip nat inside source static tcp 10.0.0.21 25 66.225.xxx.xxx 25 extendable
ip nat inside source static tcp 10.0.0.20 80 66.225.xxx.xxx 80 extendable
ip nat inside source static tcp 10.0.0.20 110 66.225.xxx.xxx 110 extendable
ip nat inside source static tcp 10.0.0.8 1494 66.225.xxx.xxx 1494 extendable
ip nat inside source static tcp 10.0.0.8 2598 66.225.xxx.xxx 2598 extendable
!
logging trap debugging
logging 10.0.0.15
access-list 100 remark SDM_ACL Category=20
access-list 100 permit ip 10.0.0.0 0.0.255.255 192.168.123.0 0.0.0.255
access-list 100 remark SDM_ACL Category=20
access-list 100 permit tcp 10.0.0.0 0.0.255.255 eq 1494 192.168.0.0 0.0.255.255 eq 1494
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=20
access-list 102 permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 102 permit tcp 10.0.0.0 0.0.255.255 eq smtp 192.168.0.0 0.0.255.255 eq smtp
access-list 102 permit tcp 10.0.0.0 0.0.255.255 eq pop3 192.168.0.0 0.0.255.255 eq pop3
access-list 102 permit tcp 10.0.0.0 0.0.255.255 eq 1494 192.168.0.0 0.0.255.255 eq 1494
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 101
!
!
!
!
control-plane
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 14071E0A34106y3974
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
 
Upvote 0 Downvote
Take a look at access-list 101

access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

You are denying nat from 10.0.0.0 to 192.168.0.0

Are both remote network in the 192.168.0.0 range?
Are the remote routers also configured to deny nat from them back to HQ?
 
Upvote 0 Downvote
yes it has to be that way for the NAT rules to work.
remote networks are in the
192.168.0.0
192.168.123.0

remote routers are linksys RV042, and linksys RV082.
 
Upvote 0 Downvote
I can ping from the remote sites and I can reach web pages on port 80 but anything else is a no go.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
226
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
211
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
210
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
267
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top