VPN Routing Problem

[cdbdrw]

I am new to Cisco VPN's, so please be gentle

I have two 2611 routers, the first connected to the internet, the other acting as the firewall. Currently we are terminating the VPN connections on the second router, and all ip addresses are NATed into our private network.

A secure tunnel will establish but no data will route over it. If I dial directly into our DMZ everything works fine.

Thanks in advance,

Craig.

 

[sobak]

So what you are saying is. You have two router on your private network....

172.16.0.1 Router 1 <---Private & Public IP
172.16.0.2 Router 2 <---Private IP

Router 1 is connected to the internet and acting as a firewall.

Router 2 is connected to your Local private LAN but router 1 is NATing Router 2.

is this correct? If not let me know where I went wrong....

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[cdbdrw]

Sorry I should have explained better:

Router 1 - Public IP on Serial Interface
Public IP on Ethernet Interface 0

Router 2 - Public IP on Ethernet Interface 0
Private IP on Ethernet Interface 1 - 172.16.0.1

Router 1 is connected to the internet and the DMZ and acting as a filtering firewall.

Router 2 is connected to the DMZ and our private network and acting as a firewall. Any VPN connections coming in are terminated on the public side and the public IP address is changed to a private address, taken from a pool on our private network.

Again when I dial directly into the DMZ the VPN works fine. When I dial the internet the tunnel comes up OK but no data is received.

Hope this helps.

Craig.

 

[Bluecrack]

It sounds like the VPN traffic maybe is being filtered somewhere. Is Router 1 filtering any type of VPN traffic (PPTP or IPSEC traffic, protocols 47 and 50 + 51 respectively)? Is your ISP filtering this traffic?

Jason

 

[sobak]

From what I can tell Bluecrack is right, it sounds like there is a filter in place blocking the traffic at Router 1 or 2. Since I don't deal much with dial-up VPNs (will be going down that road in the near future) I can't honestly say. I mainly deal with VPN tunnels between offices, armed with that experience it has been the ACL that has tripped me up the most......

Try running your debug commands, those will give you a lot of information and I am sure it will show you where the connection is failing. Also try logging of your ACL's if you can pinpoint the source and destination address being denied you can open up that ACL to allow traffic to pass. You might even be able to run a Dynamic ACL for this purpose, sorry I can't be of any more assistance on this matter. Whatever you find out let us know, would be good information for future use.....

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[cdbdrw]

Thanks for the tips. I will let you know if I figure it out.

Craig.