Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HELP tunnel works but only between routers, not pc's

Status
Not open for further replies.

notShai

IS-IT--Management
May 16, 2006
35
US
i recently changed a router and T line and copied the tunnel code to the new router.

i need pc's on LAN1 to ping pc's on LAN2.
what i have now is just the routers are able to ping everything everywhere. but not the LANs.

from router #1 CLI i can ping 192.168.1.1 or any device on its network
and
from router #2 CLI i can ping 172.16.1.2 or any device on its network

but locally on the network devices in the router #1 network side:
i can not ping the router #2 network devices (pc in LAN1 can not ping a pc in LAN2). and vice versa.

=====IP Legend=====
(did a replace on the first three nums of each)

Router#1 Serial IP 111.111.111.202
Router#1 IP 222.222.222.2

Router#2 Serial IP 333.333.333.122
Router#2 IP 444.444.444.160
=================
__
config Router #1
__

C1-1841#sh run
Building configuration...

Current configuration : 5645 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
!
!
!
ip inspect name fw1 cuseeme
ip inspect name fw1 ftp
ip inspect name fw1 udp
ip inspect name fw1 vdolive
ip inspect name fw1 streamworks
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
crypto isakmp key none address 10.10.10.2
!
!
crypto ipsec transform-set s1s2 esp-des esp-sha-hmac
!
crypto map vpn local-address Tunnel0
crypto map vpn 10 ipsec-isakmp
! Incomplete
set peer 10.10.10.2
set transform-set s1s2
match address 108
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source 111.111.111.202
tunnel destination 333.333.333.122
crypto map vpn
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 111.111.111.202 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.248.0 secondary
ip address 222.222.222.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.12.0 0.0.0.255
network 172.16.0.0 0.0.7.255
no auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 MFR1.500
!
!
ip http server
no ip http secure-server
ip nat pool swimpool 222.222.222.2 222.222.222.254 prefix-length 24
ip nat pool ovrld 222.222.222.1 222.222.222.1 netmask 255.255.255.0
ip nat inside source list 120 pool swimpool overload
ip nat inside source route-map nonat interface MFR1.500 overload
ip nat inside source static 172.16.1.18 222.222.222.18
ip nat inside source static tcp 172.16.1.84 110 222.222.222.84 110 extendable
ip nat inside source static tcp 172.16.1.105 105 222.222.222.105 105 extendable
ip nat inside source static 172.16.1.105 222.222.222.105
ip nat inside source static tcp 172.16.1.104 8089 222.222.222.107 8089 extendable
ip nat inside source static 172.16.1.108 222.222.222.108
ip nat inside source static tcp 172.16.1.112 80 222.222.222.112 80 extendable
ip nat inside source static tcp 172.16.1.113 1433 222.222.222.113 1433 extendable
ip nat inside source static tcp 172.16.1.117 20 222.222.222.117 20 extendable
ip nat inside source static tcp 172.16.1.117 21 222.222.222.117 21 extendable
ip nat inside source static tcp 172.16.1.22 80 222.222.222.120 80 extendable
ip nat inside source static tcp 172.16.1.122 25 222.222.222.122 25 extendable
ip nat inside source static 172.16.1.126 222.222.222.126
ip nat inside source static tcp 172.16.1.128 3389 222.222.222.128 3389 extendable
ip nat inside source static 172.16.1.250 222.222.222.250
ip nat inside source static 172.16.1.251 222.222.222.251
ip nat inside source static 172.16.1.252 222.222.222.252
ip nat inside source static 172.16.1.253 222.222.222.253
!
access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.7.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any eq domain any
access-list 109 deny ip host 172.16.172.249 any
access-list 120 deny ip host 172.16.1.2 any
access-list 120 deny ip host 172.16.1.47 any
access-list 120 deny ip host 172.16.1.67 any
access-list 120 deny ip host 172.16.1.106 any
access-list 120 deny ip host 172.16.1.113 any
access-list 120 deny ip host 172.16.1.114 any
access-list 120 deny ip host 172.16.1.117 any
access-list 120 deny ip host 172.16.1.125 any
access-list 120 deny ip host 172.16.1.18 any
access-list 120 permit ip 172.16.0.0 0.0.7.255 any
access-list 120 deny ip host 172.16.1.124 any
access-list 120 deny ip host 172.16.1.243 any
access-list 120 deny ip host 172.16.1.90 any
access-list 120 deny ip host 172.16.1.91 any
access-list 120 deny ip host 172.16.1.104 any
access-list 120 deny ip host 172.16.1.122 any
access-list 130 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.7.255 any
disable-eadi
!
route-map nonat permit 10
match ip address 130
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

__
config router #2
__

Building configuration...

Current configuration : 2337 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2620
!
no logging console
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key none address 10.10.10.1
!
!
crypto ipsec transform-set Best esp-3des esp-sha-hmac
crypto ipsec transform-set s2s1 esp-des esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 111.111.111.202
set transform-set Best
match address 100
!
crypto map vpn local-address Tunnel0
crypto map vpn 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set s2s1
match address 108
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
tunnel source 333.333.333.122
tunnel destination 111.111.111.202
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 333.333.333.122 255.255.255.252
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
crypto map vpn
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip nat pool swim 444.444.444.161 444.444.444.174 netmask 255.255.255.240
ip nat inside source route-map nonat pool swim overload
ip classless
ip route 0.0.0.0 0.0.0.0 333.333.333.121
no ip http server
!
access-list 100 permit ip 444.444.444.160 0.0.0.15 172.16.0.0 0.0.7.255
access-list 100 permit ip 444.444.444.160 0.0.0.15 222.222.222.0 0.0.0.63
access-list 108 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.0
access-list 109 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 110 permit ip host 222.222.222.2 host 444.444.444.161
access-list 110 permit ip host 444.444.444.161 host 222.222.222.2
access-list 111 permit ip any host 444.444.444.162
access-list 111 permit ip any host 444.444.444.172
route-map nonat permit 10
match ip address 109
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
session-timeout 20
exec-timeout 20 0
no login
!
end
 
on your C1-1841 you don't have a crypto acl 108
Code:
crypto map vpn 10 ipsec-isakmp
 set peer 10.10.10.2
 set transform-set s1s2
 [b]match address 108[/b]

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
nice catch.
i added:

access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255

same behavior still.

does this help?

2620#traceroute 172.16.1.2

Tracing the route to 172.16.1.2

1 10.10.10.1 60 msec 196 msec *
 
1841#show crypto isakmp sa
dst src state conn-id slot status

2620#show crypto isakmp sa
dst src state conn-id slot
10.10.10.1 10.10.10.2 MM_NO_STATE 1 0
 
change this
Code:
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.0
to this
Code:
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
changed AL 109 to:

access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 109 permit ip 192.168.1.0 0.0.0.255 any

didnt change the behaviour of the vpn.
 
issue debug crypto isakmp sa and post back the output

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top