cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
5
Helpful
5
Replies
Damien Silman
Beginner

877 to Juniper VPN: Routing issues

Hi all,

I must admit, I'm quite new to Cisco routers, although being more than confortable with Cisco switches.

I've so far configured my Cisco 877 router, so that it connects to our ADSL line using PPPOA, and have successfully configured phase 1 and 2 negotiations between it and our Juniper firewall.

The VPN comes up, I can ping the router from our HO, the router can ping our HO. However; nothing can ping any local kit to the router.

I've tried various configurations of access lists and such to remedy this, to no avail.

Please could you rip apart my below configuration and tell me which bits I have wrong, and which bits are terribly wrong?

FYI: router is hosted at site B, 172.30.44.0 255.255.255.0

Jniper Firewall is hosted at site A (HO) 172.20.0.0 255.255.0.0


Thanks in advance!

W4RegentSt#show run

Building configuration...

Current configuration : 3456 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname W4RegentSt

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 <-scratched->

enable password <-scratched->

!

no aaa new-model

!

!

dot11 syslog

ip source-route

ip dhcp excluded-address 172.30.44.1 172.30.44.10

ip dhcp excluded-address 172.30.44.1 172.30.44.100

!

ip dhcp pool dpool1

   import all

   network 172.30.44.0 255.255.255.0

   subnet prefix-length 24

   default-router 172.30.44.1

   dns-server 172.30.44.1 172.20.0.222 172.20.0.221

   netbios-name-server 172.20.0.221 172.20.0.222

!

!

ip cef

ip domain name gratte.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <-scratched-> address <-HO PUBLIC IP-> no-xauth

!

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.44.1 255.255.0.0

ip ospf mtu-ignore

load-interval 30

tunnel source Dialer0

tunnel destination <-HO PUBLIC IP->

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Vlan1

no ip address

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname <-USERNAME->

ppp chap password 0 <-PASSWORD->

ppp pap sent-username <-USERNAME-> password 0 <-PASSWORD->

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.20.0.0 255.255.0.0 Tunnel0

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

!

!

!

!

snmp-server community public RO

!

control-plane

!

banner motd ^C

You require authorisation to connect to this device.

If you are not authorised to connect to this device please disconnect now.  If

you fail to disconnect we will find you...

^C

!

line con 0

password <-SCRATCHED->

login

no modem enable

line aux 0

line vty 0 4

password <-SCRATCHED->

login

!

scheduler max-task-time 5000

end

1 ACCEPTED SOLUTION

Accepted Solutions
DuncanM2008
Beginner

Hello Damien,

I would start with two things that are related and aren't included in your config snippet:

"

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

"

Could you display the access-lists that are used for defining "interesting" traffic for NAT purposes?

My line of thinking is that your VPN traffic isn't being excluded from NAT hence no communication.

HTH,

Dunc.

View solution in original post

5 REPLIES 5
DuncanM2008
Beginner

Hello Damien,

I would start with two things that are related and aren't included in your config snippet:

"

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

"

Could you display the access-lists that are used for defining "interesting" traffic for NAT purposes?

My line of thinking is that your VPN traffic isn't being excluded from NAT hence no communication.

HTH,

Dunc.

Hi Duncan,

Thanks for the response, it isn't a snippet as such, but the whole thing.

Before i configured the VPN and was just on straight ADSL/PPPOA I had:

access-list 1 permit 172.30.44.0 255.255.255.0

From what you've said I believe the rest since the VPN has been very much lost in translatioin.

ok, config now reads:

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 1 permit 172.30.44.0 0.0.0.255

access-list 100 remark -=[Define NAT Service]=-

access-list 100 deny   ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255

access-list 100 permit ip 172.30.44.0 0.0.0.255 any

access-list 100 remark

access-list 100 deny   ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255

still not playing ball though.

Still not figured this out.

I have the following ip routes:

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.20.0.0 255.255.0.0 Tunnel0

Dialer0 is the ADSL PPP connection, Tunnel0 is my VPN.

Additionally my NAT is defined as follows:

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 1 permit 172.30.44.0 0.0.0.255

access-list 100 remark -=[Define NAT Service]=-

access-list 100 deny   ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255

access-list 100 permit ip 172.30.44.0 0.0.0.255 any

access-list 100 remark

access-list 100 deny   ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255

Our main site is on a 172.20.0.0 /16 subnet, the remote site (where this Cisco 877 router is) is on a 172.30.44.0 /24 subnet.

I need these two subnets to communicate, no traffic is required outside of the VPN.

What have I done wrong and what do I need to?

Hope someone can help!

Thanks,

Damien.

Figured this out; made the following changes:

Originally:

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 1 permit 172.30.44.0 0.0.0.255

access-list 100 remark -=[Define NAT Service]=-

access-list 100 deny   ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255

access-list 100 permit ip 172.30.44.0 0.0.0.255 any

access-list 100 remark

access-list 100 deny   ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.25

Now:

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 100 deny   ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 100 permit ip 172.30.44.0 0.0.0.255 any