Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 837 VPN

Status
Not open for further replies.

carlson2

Technical User
Oct 17, 2005
6
GB
We are using 2 cisco 837 adsl routers,one on main site one on remote site. I managed to establish an ipsec tunnel between the two sites, but it appears not to be fully transparent, i.e. the users on the remote site cannot log on to the exchange server on the main site. Ideally we would like to have a completely open vpn tunnel. can somebody help, please?
 
only way forward with this one is to show us the config. My guess is that the encryption lists are not the same on either side and the SAs are not forming.
 
yeah if you can.

make sure you mask any passwords.

Also show the output of show crypto isakmp sa and show crypto ipsec sa (unless there are a lot of tunnels configured)
 
I do it in two steps. First the main site:


Current configuration : 5961 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SCS-ADSL-ROUTER
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip name-server 158.152.1.58
ip name-server 158.152.1.43
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 7663742 address 82.163.135.137
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.xxx.xxx.xxx
set peer 82.xxx.xxx.xxx
set transform-set ESP-3DES-SHA1
match address 105
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx-adsl@lon1-ae1b.demonadsl.co.uk
ppp chap password
ppp pap sent-username xxxxx-adsl@lon1-ae1b.demonadsl.co.uk password
ppp ipcp dns request
ppp ipcp wins request
crypto map SDM_CMAP_1
hold-queue 224 in
!
ip nat pool H323 192.168.200.10 192.168.200.10 netmask 255.255.255.0
ip nat pool SMTP 192.168.200.2 192.168.200.2 netmask 255.255.255.0
ip nat inside source static tcp 192.168.200.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.200.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.200.10 1719 interface Dialer1 1719
ip nat inside source static tcp 192.168.200.10 1720 interface Dialer1 1720
ip nat inside source static tcp 192.168.200.10 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.200.10 6001 interface Dialer1 6001
ip nat inside source static tcp 192.168.200.10 6002 interface Dialer1 6002
ip nat inside source static tcp 192.168.200.10 6003 interface Dialer1 6003
ip nat inside source static tcp 192.168.200.10 7000 interface Dialer1 7000
ip nat inside source static tcp 192.168.200.2 1723 interface Dialer1 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.200.2 25 interface Dialer1 25
ip nat outside source list H323 pool H323
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip access-list extended H323
remark IP Telephony
remark SDM_ACL Category=2
remark H323
permit tcp any eq 1720 host 192.168.200.10 eq 1720
logging trap debugging
logging 192.168.200.2
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 1 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 102 remark SDM_ACL Category=18
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 192 remark permit SMTP traffic
access-list 192 remark SDM_ACL Category=2
access-list 192 permit tcp any host 192.168.200.2 eq smtp
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
banner login ^C
^C
!
line con 0
login local
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
login local
length 0
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler interval 500
!
end
 
Second bit = remote site:

Current configuration : 4214 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
enable secret 5
!
username
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 xxxxxxx address 83.xxx.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to83.xxx.xxx.xxx
set peer 83.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 101
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname xxxxx-webage@ukadsl
ppp chap password
ppp pap sent-username 13212-webage@ukadsl password 7 02172D573A101C0A5B
crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.100.50 1723 interface Dialer0 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 deny any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
banner login ^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end
 
And the last bits

main site:
interface: Dialer1
Crypto map tag: SDM_CMAP_1, local addr. 83.xxx.xxx.xxx

protected vrf:
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 82.xxx.xxx.xxx:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 137675, #pkts encrypt: 137675, #pkts digest 137675
#pkts decaps: 165163, #pkts decrypt: 165163, #pkts verify 165163
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 812, #recv errors 0

local crypto endpt.: 83.xxx.xxx.xxx, remote crypto endpt.: 82.xxx.xxx.xxx
path mtu 1500, media mtu 1500
current outbound spi: 29C8D91D

inbound esp sas:
spi: 0x6258F9F4(1649998324)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2014, flow_id: 15, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4384180/2277)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x29C8D91D(701028637)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2015, flow_id: 16, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4384304/2277)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:



remote site:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr. 82.xxx.xxx.xxx

protected vrf:
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: 83.xxx.xxx.xxx:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11015, #pkts encrypt: 11015, #pkts digest 11015
#pkts decaps: 9346, #pkts decrypt: 9346, #pkts verify 9346
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 82.xxx.xxx.xxx, remote crypto endpt.: 83.xxx.xxx.xxx
path mtu 1500, media mtu 1500
current outbound spi: 6258F9F4

inbound esp sas:
spi: 0x29C8D91D(701028637)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2014, flow_id: 15, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4467202/2653)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6258F9F4(1649998324)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2015, flow_id: 16, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4467150/2653)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:
 
I would almost definately say that the IOS firewall is the problem. Remove it and use an ACL instead.

Everything else looks good. You can see the tunnel passing traffic so I would put my money on the IOS firewall.
 
I'm sorry, but you lost me there. How do I remove IOS firewall using SDM, or if I have to use commandline, how do I do that?
 
Sorry didnt realise you were using SDM.


conf t
int d0
no ip inspect DEFAULT100 out
exit

This will remove the IOS firewall from the interface, but not delete it incase you want to reapply it to the interface.

You will need to construct an outside acl permitting traffic back in though as doing this may cause your tunnels to drop and any inbound TCP connections will be blocked.
 
If after you disable the firewall it does not help then take a look at the following:

I don't know if this will help but I had a similiar situation when I extended my server to the internet for my provider to have access to. My remote VPN connected network could no longer telnet to it but the local network had no problem. Below is the fix that was put in place to fix it. Keep in mind that our port affected was 23 and yours will be different.



interface Loopback0
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip route-cache flow

interface FastEthernet0/0
connected to lan
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map nostatic
duplex auto
speed auto
no keepalive
no cdp enable
no mop enabled

ip nat inside source static tcp 192.168.1.10 23 65.120.250.43 23 extendable

access-list 120 permit ip host 192.168.1.10 192.168.200.0 0.0.0.255

route-map nostatic permit 10
match ip address 120
set ip next-hop 1.1.1.2
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top