09-14-2012 01:18 PM - edited 03-04-2019 05:34 PM
Hi all,
I must admit, I'm quite new to Cisco routers, although being more than confortable with Cisco switches.
I've so far configured my Cisco 877 router, so that it connects to our ADSL line using PPPOA, and have successfully configured phase 1 and 2 negotiations between it and our Juniper firewall.
The VPN comes up, I can ping the router from our HO, the router can ping our HO. However; nothing can ping any local kit to the router.
I've tried various configurations of access lists and such to remedy this, to no avail.
Please could you rip apart my below configuration and tell me which bits I have wrong, and which bits are terribly wrong?
FYI: router is hosted at site B, 172.30.44.0 255.255.255.0
Jniper Firewall is hosted at site A (HO) 172.20.0.0 255.255.0.0
Thanks in advance!
W4RegentSt#show run
Building configuration...
Current configuration : 3456 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname W4RegentSt
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 <-scratched->
enable password <-scratched->
!
no aaa new-model
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 172.30.44.1 172.30.44.10
ip dhcp excluded-address 172.30.44.1 172.30.44.100
!
ip dhcp pool dpool1
import all
network 172.30.44.0 255.255.255.0
subnet prefix-length 24
default-router 172.30.44.1
dns-server 172.30.44.1 172.20.0.222 172.20.0.221
netbios-name-server 172.20.0.221 172.20.0.222
!
!
ip cef
ip domain name gratte.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <-scratched-> address <-HO PUBLIC IP-> no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.44.1 255.255.0.0
ip ospf mtu-ignore
load-interval 30
tunnel source Dialer0
tunnel destination <-HO PUBLIC IP->
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname <-USERNAME->
ppp chap password 0 <-PASSWORD->
ppp pap sent-username <-USERNAME-> password 0 <-PASSWORD->
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.20.0.0 255.255.0.0 Tunnel0
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
!
!
!
!
snmp-server community public RO
!
control-plane
!
banner motd ^C
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now. If
you fail to disconnect we will find you...
^C
!
line con 0
password <-SCRATCHED->
login
no modem enable
line aux 0
line vty 0 4
password <-SCRATCHED->
login
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
09-14-2012 03:32 PM
Hello Damien,
I would start with two things that are related and aren't included in your config snippet:
"
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
"
Could you display the access-lists that are used for defining "interesting" traffic for NAT purposes?
My line of thinking is that your VPN traffic isn't being excluded from NAT hence no communication.
HTH,
Dunc.
09-14-2012 03:32 PM
Hello Damien,
I would start with two things that are related and aren't included in your config snippet:
"
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
"
Could you display the access-lists that are used for defining "interesting" traffic for NAT purposes?
My line of thinking is that your VPN traffic isn't being excluded from NAT hence no communication.
HTH,
Dunc.
09-14-2012 03:59 PM
Hi Duncan,
Thanks for the response, it isn't a snippet as such, but the whole thing.
Before i configured the VPN and was just on straight ADSL/PPPOA I had:
access-list 1 permit 172.30.44.0 255.255.255.0
From what you've said I believe the rest since the VPN has been very much lost in translatioin.
09-14-2012 08:36 PM
ok, config now reads:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 1 permit 172.30.44.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255
access-list 100 permit ip 172.30.44.0 0.0.0.255 any
access-list 100 remark
access-list 100 deny ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255
still not playing ball though.
09-17-2012 02:13 AM
Still not figured this out.
I have the following ip routes:
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.20.0.0 255.255.0.0 Tunnel0
Dialer0 is the ADSL PPP connection, Tunnel0 is my VPN.
Additionally my NAT is defined as follows:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 1 permit 172.30.44.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255
access-list 100 permit ip 172.30.44.0 0.0.0.255 any
access-list 100 remark
access-list 100 deny ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255
Our main site is on a 172.20.0.0 /16 subnet, the remote site (where this Cisco 877 router is) is on a 172.30.44.0 /24 subnet.
I need these two subnets to communicate, no traffic is required outside of the VPN.
What have I done wrong and what do I need to?
Hope someone can help!
Thanks,
Damien.
09-17-2012 12:10 PM
Figured this out; made the following changes:
Originally:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 1 permit 172.30.44.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 172.20.0.0 0.0.255.255 172.30.44.0 0.0.0.255
access-list 100 permit ip 172.30.44.0 0.0.0.255 any
access-list 100 remark
access-list 100 deny ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.25
Now:
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 deny ip 172.30.44.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 100 permit ip 172.30.44.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide