cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1212
Views
15
Helpful
10
Replies

Cisco 881 VPN Help

sjsteve33171
Level 1
Level 1

Hi All,

I'm not cisco trained nor ever worked with cisco, im a complete newbie when it comes to Cisco platforms. We are a IT Support MSP and we've recently taken on a customer who has an office abroad using a Cisco 881 device with a Draytek router in the UK. Site to site connectivity is required. I've looked around and watched some youtube videos on how to setup the VPN and believe i have this in place using the below config on the cisco:

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ******** address *******
!
crypto ipsec transform-set sha3des esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer **********
 set transform-set sha3des
 set pfs group2
 match address UK

!

interface FastEthernet4
 ip address <WAN IP> <WAN SUBNET>
 ip access-group netbios in
 ip access-group netbios out
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN

!
interface Vlan1
 ip address <WAN IP 2> <WAN SUBNET> secondary
 ip address <LAN IP> 255.255.255.0
 ip access-group netbios in
 ip access-group netbios out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache cef
 no ip route-cache
!

ip access-list extended UK
 permit ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255
 permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

 

The VPN shows it up and active but there is no traffic flow between the two and i have no idea why...

 

Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: <REMOTE WAN> port 500
  IKEv1 SA: local <LOCAL WAN>/500 remote <REMOTE WAN>/500 Active
  IPSEC FLOW: permit ip <REMOTE LAN>/255.255.255.0 <LOCAL LAN>/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip <LOCAL LAN>/255.255.255.0 <REMOTE LAN>/255.255.255.0
        Active SAs: 2, origin: crypto map

 

So it all looks fine, however if i try and ping the remote sites router over the remote LAN ip i get the following:

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <REMOTE IP>, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

I also cannot ping from remote site into the Cisco lan.

 

I believe this is down to the cisco end, the Draytek is a basic router and no routing is able to be configured. It does it automatically. So the VPN is up, no traffic flow..

 

Please can someone point me in the right directoin?

 

Thank You

1 Accepted Solution

Accepted Solutions

The extra ip route doesn't harm although it's not needed. I like these extra routes as they can serve as a kind of "inline documentation" when used with an additional "name" keyword at the end.

Your NAT-ACL doesn't exclude the traffic. Just add the following:

ip access-list ext 102
  1 deny ip <local LAN> 0.0.0.255 <remote LAN> 0.0.0.255

View solution in original post

10 Replies 10

1) The following line in the ACL is not needed and can be removed:

 permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

You only need to specify the traffic that your router needs to protect.

2) Your test seems to be wrong. If you ping from your router, by default the source IP is the publics interface IP address. The traffic from that IP to the remote LAN is not part of the crypto-definition. test it from a LAN-PC or specify the source interface when you ping from the router.

3) A possible problem is that you also have NAT configured, but you didn't exclude the VPN-traffic from NAT. Make sure your NAT-ACL has a deny statement at the beginning for the locat to remote-subnet.

Hi Karsten,

 

Thanks for the pointer.

 

1) I have removed the permit  as stated.

2) I wasn't aware of that, so thank you, makes perfect sense, i shall try and access a PC there.

3) Please could you look at the below and advise? By the looks of it im assuming its not excluded:

 

!
ip nat pool PORTFWD <LAN MACHINE> <LAN MACHINE> netmask 255.255.255.0 type rotary
ip nat inside source list 102 interface FastEthernet4 overload
ip nat inside source static tcp <LAN MACHINE> 25 <WAN IP> 25 extendable
ip nat inside source static tcp <LAN MACHINE> 110 <WAN IP> 110 extendable
ip nat inside source static tcp <LAN MACHINE> 3000 <WAN IP> 3000 extendable
ip nat inside source static udp <LAN MACHINE> 30000 <WAN IP> 30000 extendable
ip nat inside source static udp <LAN MACHINE> 30030 <WAN IP> 30030 extendable
ip nat inside source static tcp <LAN MACHINE> 5003 <WAN IP> 5003 extendable
ip nat inside source static udp <LAN MACHINE> 5003 <WAN IP> 5003 extendable
ip nat inside source static tcp <LAN MACHINE> 5090 <WAN IP> 5090 extendable
ip nat inside source static udp <LAN MACHINE> 5090 <WAN IP> 5090 extendable
ip nat inside source static tcp <LAN MACHINE> 6001 <WAN IP> 6001 extendable
ip nat inside source static tcp <LAN MACHINE> 6100 <WAN IP> 6100 extendable
ip nat inside source static udp <LAN MACHINE> 6100 <WAN IP> 6100 extendable
ip nat inside destination list 100 pool PORTFWD
ip route 0.0.0.0 0.0.0.0 <GATEWAY IP >
ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN>
!

access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any

 

I'm assuming i need to

1) Remove ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN>

2) Adjust source-list 102 with a deny of some sort?

 

Thanks again

The extra ip route doesn't harm although it's not needed. I like these extra routes as they can serve as a kind of "inline documentation" when used with an additional "name" keyword at the end.

Your NAT-ACL doesn't exclude the traffic. Just add the following:

ip access-list ext 102
  1 deny ip <local LAN> 0.0.0.255 <remote LAN> 0.0.0.255

Hi Karsten,

You were exactly spot on! After adding that line into 102, i can now ping from UK to Abroad. Do i need to add another line for:

 

2 deny ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

 

To allow communication both ways or is that enough to work now?

 

The list currently shows:

access-list 102 deny   ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255
access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any

2 deny ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

is not needed. When coming from "nat inside" to "nat outside" (as per interface config) your router will never see a source of REMOTE-LAN. And only that's what needs to be specified.

Ok Thank you Karsten, i've marked you as correct. If i could get you a few beers i would!

 

Thank You Again

Great that it works! And I'll come back to you for the beer eventually ... ;-)

Hi Karsten,

 

Sorry i have another issue!

 

Since fixed :)

I don't really understand what your setup is and what communication fails. A little diagram could help.

Couldn't telnet on TCP

 

I altered

 

access-list 100 permit udp any any range 30000 30030

 

to

 

access-list 100 permit udp any any

access-list 100 permit tcp any any

 

It done the trick.

Review Cisco Networking for a $25 gift card