Site-to-site vpn not allowing bi-directional traffic

[mooninite]

Cisco 877 with DSL connection to a Juniper networks router.

VPN is configured correctly, but traffic is only coming in from the Juniper. I cannot ping the internal IP of the Juniper or any PCs behind it. I can, however, come from the Juniper over to the Cisco and visit any PCs there. Another strange thing is that if I'm on a PC behind the Cisco, I can ping the PCs behind the Juniper but I cannot visit a web server or FTP server, etc. I've looked at some wireshark capturing and I'm getting the initial connection from a PC behind the Cisco to a PC behind the Juniper but not any data. Any ideas?

I've been over and over the config setups on the Cisco and I can't find anything wrong.

I'm attaching the cisco config. If nothing is visibly wrong with the config I can check the Juniper but I don't have direct access to it.

 

[slaquer]

A couple of quick qauestions before I head off to class.

I am not sure what you are saying here. In one sentence you say you cannot ping the hosts behind the Juniper, but then several sentences later you say you can ping hosts behind the Juniper, just not the Juniper internet interface itself. Please clarify (I'm sure I just read it wrong)

Are you sure you are allowing inbound ICMP on the Juniper?.

Please post the Juniper config also.

 

[burtsbees]

Look familiar, slaquer?lol

This sounds like something similar to the problem you were having...

Post the Juniper config and the Cisco config (not many of us will go to an external link for anything...).

Burt

 

[mooninite]

slaquer, I can ping from PCs behind the Cisco to PCs behind the Juniper but I cannot ping those same PCs when I am in the Cisco itself.

burtsbees, I posted a text file. If you are concerned about text files, you should upgrade your browser: Firefox, Opera, Webkit-based, etc. Or upgrade your OS: Linux.

Below is the Cisco config. I cannot post the Juniper config because I do not have access to it. The person in control of it won't let anyone else in. I'm positive they have it setup correctly because we have two other VPNs and they are working fine both ways and I've asked them to look at it again to make sure they feel it is correct.

Building configuration...

Current configuration : 14490 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging console critical
enable secret 5 test
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip tcp synwait-time 10
ip domain name test.com
ip name-server 206.34.181.16
ip name-server 206.34.181.15
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3006499758
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3006499758
revocation-check none
rsakeypair TP-self-signed-3006499758
!
!
crypto pki certificate chain TP-self-signed-3006499758
certificate self-signed 01
test
quit
!
!
username admin privilege 15 secret 5 test.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key yo@@(*^ address 65.1.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.1.1.1
set peer 65.1.1.1
set transform-set ESP-3DES-SHA2
match address 106
!
!
!
!
interface ATM0
description DSL interface to segnet
no ip address
ip route-cache flow
no atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0.35 point-to-point
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 216.1.1.1 255.255.255.248
ip access-group 103 in
ip access-group 102 out
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
crypto map SDM_CMAP_1
!
ip route 172.17.0.0 255.255.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 80400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 deny ip 216.107.208.136 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 206.34.181.16 eq domain host 216.107.208.142
access-list 101 permit udp host 206.34.181.15 eq domain host 216.107.208.142
access-list 101 permit tcp any host 216.107.208.142 eq 8588
access-list 101 deny ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any host 216.107.208.142 echo-reply
access-list 101 permit icmp any host 216.107.208.142 time-exceeded
access-list 101 permit icmp any host 216.107.208.142 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 102 permit udp host 65.1.1.1 host 216.1.1.1 eq non500-isakmp
access-list 102 permit udp host 65.1.1.1 host 216.1.1.1 eq isakmp
access-list 102 permit esp host 65.1.1.1 host 216.1.1.1
access-list 102 permit ahp host 65.1.1.1 host 216.1.1.1
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.17.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 102 deny ip 192.168.100.0 0.0.0.255 any
access-list 102 permit icmp any host 216.1.1.1 echo-reply
access-list 102 permit icmp any host 216.1.1.1 time-exceeded
access-list 102 permit icmp any host 216.1.1.1 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark SDM_ACL Category=5
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.17.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 103 permit udp host 65.1.1.1 host 216.1.1.1 eq non500-isakmp
access-list 103 permit udp host 65.1.1.1 host 216.1.1.1 eq isakmp
access-list 103 permit esp host 65.1.1.1 host 216.1.1.1
access-list 103 permit ahp host 65.1.1.1 host 216.1.1.1
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.100.0 0.0.0.255 172.17.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

Hmmm...I am running Firefox...I thought it was a link and not an attachment...can you find it in your heart to forgive me?

Are you sure you want acl 102 going outbound on Di0?

Burt

 

[mooninite]

I'll add that I was not the one who originally configured this. The person that configured it used SDM (obviously). Should I remove the line "ip access-group 102 out" for a fix?

Thanks. Yes, I forgive you.