Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN tunnel is up but no traffic from end to end

Status
Not open for further replies.
tanker135

tanker135

MIS
Sep 8, 2003
14
US
Folks,

Using two 501,s I have two good tunnel lights but cannot ping end to end. Included here are my scripts and screen dumps. Any help you can give would be great.


nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Warehouse
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baseT
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.248.86 255.255.255.252
ip address inside 172.18.128.1 255.255.255.224
arp timeout 14400
nat 0 access-list 101
route outside 0.0.0.0 0.0.0.0 xxx.xxx.248.85 1
conduit permit icmp any any
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.208.137
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key abc123 address xxx.xxx.208.137 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80


nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HQ
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 172.18.0.0 255.255.192.0 172.18.128.0 255.255.255.224
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baseT
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.208.137 255.255.255.128
ip address inside 172.18.0.30 255.255.192.0
arp timeout 14400
nat 0 access-list 101
route outside 0.0.0.0 0.0.0.0 xxx.xxx.208.129 1
conduit permit icmp any any
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.248.86
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key abc123 address xxx.xxx.248.86 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80

Warehouse(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
xxx.xxx.248.86 xxx.xxx.208.137 QM_IDLE 0 1



Warehouse(config)# sh crypto ipsec sa


interface: outside
Crypto map tag: transam, local addr. xxx.xxx.248.86

local ident (addr/mask/prot/port): (172.18.128.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (172.18.0.0/255.255.192.0/0/0)
current_peer: 12.33.208.137
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: xxx.xxx.248.86, remote crypto endpt.: xxx.xxx.208.137
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 74fa6438

inbound esp sas:
spi: 0x1a653fd1(442843089)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/27827)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x74fa6438(1962566712)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4608000/27818)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:


Warehouse(config)#
 
Sort by date Sort by votes
Config looks fine except for using the acl for nat 0 and crypto map, not advisable. YTou should create one for each function, even though they are the same.

Although this looks more like your keys arent being exchanged properly, try typing them in again.

Jan
 
Upvote 0 Downvote
Jan,

I've made the changes to acl with no change in status. This should be a slam-dunk install but it is fighting me all the way. Here are the configs now with the changes. I slightly changed the key on both. As it sits, I've got two good tunnel lights but still no talky between.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HQ
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 172.18.0.0 255.255.192.0 172.18.128.0 255.255.255.224
access-list 101 permit icmp 172.18.0.0 255.255.192.0 172.18.128.0 255.255.255.224
access-list 110 permit ip 172.18.0.0 255.255.192.0 172.18.128.0 255.255.255.224
access-list 110 permit icmp 172.18.0.0 255.255.192.0 172.18.128.0 255.255.255.224
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baseT
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.208.137 255.255.255.128
ip address inside 172.18.0.30 255.255.192.0
arp timeout 14400
nat 0 access-list 110
route outside 0.0.0.0 0.0.0.0 xxx.xxx.208.129 1
conduit permit icmp any any
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.248.86
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp key 1Abc123 address xxx.xxx.248.86 netmask 255.255.255.255
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Warehouse
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
access-list 101 permit icmp 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
access-list 110 permit ip 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
access-list 110 permit icmp 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baseT
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.248.86 255.255.255.252
ip address inside 172.18.128.1 255.255.255.224
arp timeout 14400
nat 0 access-list 110
route outside 0.0.0.0 0.0.0.0 xxx.xxx.248.85 1
conduit permit icmp any any
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.208.137
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp key 1Abc123 address xxx.xxx.208.137 netmask 255.255.255.255
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80
 
Upvote 0 Downvote
Oooh, i c the problem. That script is not the actual config, it is your script right ?

The command nat 0 needs an interface in it : "nat (inside) 0 access-list zzz"

Oh, and by the way. don't put icmp statements in your crypto acl, it is not used, the ip acl line covers it all.

Also, you might wanna remove that conduit permit icmp any any and put another acl on the outside interface permitting icmp-reply back in, and icmp echo if you need it.

Jan
 
Upvote 0 Downvote
Folks,

I figured it out. It helps to have the host being ping'd to be on the correct network :( Thanks for the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
785
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
649
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
184
Russtoleum
Russtoleum
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
649
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
231
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top