Cisco configuration problems

[tetote]

I configured seperate networks and join them by a VPN using Cisco routers.

These routers replaced another routers, so we basically put same configuration that was before.

The networks are 192.168.5.0 and 192.168.8.0 they are working fine.

But I have two problems:
1. When I try from one network to administrate the router via telnet from the other network it does not accept the password, so I have to go to the office. Is there a password for remote administration?

2. On the other routers there was another network configured, these for VoIP. On one side I had 172.18.100.0 and on the other side 172.18.101.0. How do I configured these other networks?

 

[unclerico]

1) does the remote device give you the prompt to enter a password or does it fail to connect altogether?? i want to make sure you have configured credentials for connecting via telnet
2) it depends on the number of interfaces on the new routers and whether or not you are using VLANs. if you only have a single interface then you need to do a router-on-a-stick config; something like this:

interface f0/1
 no shut
interface f0/1.5
 encapsulation dot1q <vlan_id>
 ip add 192.168.5.1 255.255.255.0
interface f0/1.100
 encapsulation dot1q <vlan_id>
 ip add 172.18.100.1 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[imbadatthis]

1) if its not accepting password.

check your running config under:
line vty 0 4

see what kind of authentication method is setup .
it could be local login, or it might check a server and hence you can't login because you do not have the correct rights.

if you change it to :
line vty 0 4
login local
transport input telnet

then you can telnet, using usernames that exist on that router.

cheers,


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[tetote]

Thanks to both.

It does prompt me for the password, but I put the password and does not let me in.

I do use VLans, so I will try what you told me.

I will check the running config and let you know what it says.

 

[tetote]

I have tried what you guys told me with no luck, I still can not see the 172 network from one side to another.

Is there a way to send you a diagram of what I'm trying to configure?

 

[imbadatthis]

you can attach a file to your posting,
or upload to somewhere like imageshack and then post a link ?

also if you can,
please post a config,

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[tetote]

I have uploaded a connection diagram and the configuration.

Please help me out.

 

[unclerico]

the URL does not work

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Works for me...

http://drop.io/hidden/tbjobkcfinhqmx/asset/Y2lzY28tYXNhLXppcA==

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

What you want to do is include the 172 dot networks in the crypto acl of each ASA...in site A it will be added to the one for the 192.168.8.0/24 network...

permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

that is what it would look like, added to the existing crypto acl. You will also have to add that to the nonat acl.

Uncle---he was asking how to configure the 172 dot networks to see each other through the vpn tunnel. The devices are ASA's

Post the configs of the Site A and Site B ASA's


/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[tetote]

Thanks burt

If I undestand correctly you want me to add the 172 network on the crypto acl but how do I do that?

After adding the networks how do I permit the 172 networks.

I uploaded the config file from both ASAs in the same link I gave you before.

Cheers!!

 

[unclerico]

Works for me...

well, slap my ass and call me margaret! i'm sure my filter at work was blocking me, but didn't really see this as a high priority (no offense OP)....go git em tiger!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Step away from the bottle...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

In the northeast ASA, I would add

access-list inside_nat0_outbound extended permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

and do

no global (VoIP) 1 interface
no nat (VoIP) 0 access-list nonatVoIP
nat (VoIP) 0 access-list inside_nat0_outbound

I think...I am no ASA expert, but the NATs look wrong. The crypto acl in both are correct, but it looks like in northeast the VoIP traffic is being NATted...

Uncle---chime in!

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

burt, your suggestion looks right.

a few others i might add:
1) change the ip range of your vpn pool on the mesa ASA to be something other than 192.168.8/24. change it to 192.168.9/24 or something. be sure to add the necessary ACEs to your nonat ACLs and routes in the necessary devices
2) on the mesa ASA you are using the same outside_nat0_outbound ACL for the outside interface as well as the VOIP interface. create a separate ACL for each interface. this ACE access-list outside_nat0_outbound extended permit ip interface VoIP 172.18.101.0 255.255.255.0 needs to drop the interface VoIP and define the entire network 172.18.100.0 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[tetote]

I have done what you have told me and I'm still having the same problems.