07-29-2015 11:31 PM - edited 03-05-2019 01:58 AM
Hi,
I have Cisco 881 router which, I configure as IPSEC VPN router and my problem is i cannot route from the IP after Host Tunnel Gateway please help details below of my configuration.
Building configuration...
Current configuration : 3206 bytes
!
! Last configuration change at 05:53:23 UTC Thu Jul 30 2015
! NVRAM config last updated at 05:49:02 UTC Thu Jul 30 2015
!
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname PLDT_iGATE
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
no logging console
enable secret 5 $1$t567$n1hGZj5Vp5OLXYNYo2Qfi0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local none
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.201.3.1 10.201.3.10
ip dhcp excluded-address 10.201.3.253
ip dhcp excluded-address 10.201.3.254
!
ip dhcp pool network30dhcp
network 10.201.3.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 10.201.3.5
lease 5
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL1542227S
!
!
username admin privilege 15 secret 5 $1$j09z$CnaFr4zLRQM4uY.FNbkpu0
!
!
!
policy-map SHAPE-20
class class-default
shape average 9500000 95000 0
!
!
crypto logging session
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key owteltest address 118.140.111.xx
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap local-address FastEthernet4
crypto map mymap 100 ipsec-isakmp
description VPN between PH Office HGC and Client Office
set peer 118.140.111.xx
set transform-set myset
match address 100
!
!
!
!
!
interface FastEthernet0
description " Connected to Private Lan "
switchport access vlan 30
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 210.213.64.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Vlan1
ip address 10.201.3.5 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 30
shutdown
!
interface Vlan20
ip address 10.0.2.5 255.255.255.0
!
interface Vlan30
ip address 10.201.3.5 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 30
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 210.213.64.217
ip route 0.0.0.0 0.0.0.0 118.140.111.94
ip route 10.1.0.0 255.255.0.0 210.213.64.217
ip route 10.201.3.0 255.255.255.0 118.140.111.xx name Firewall
!
ip access-list extended VPN
!
access-list 1 permit 10.201.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 120 permit ip 10.201.3.0 0.0.0.255 any
access-list 120 permit ip 10.1.1.0 0.0.0.255 10.201.3.0 0.0.0.255
access-list 135 deny ip 10.1.1.0 0.0.0.255 10.201.3.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication owtel123
!
scheduler max-task-time 5000
end
Thanks,
Dennis
07-30-2015 06:34 AM
The IPSec configuration looks ok, but it's not clear to me what the encryption domain is. That's your definition in ACL 100. Which pairs of networks do you want to protect with IPSec? The destination network should be reachable over FastEthernet4, so the traffic destined to it will be encrypted.
Please also check if you have a route to 118.140.111.94 in your routing table.
08-02-2015 09:43 PM
It's working now thanks for all your help
08-03-2015 10:40 PM
Dear Dennis,
How did u solve this issue and what was the problem.
08-06-2015 08:34 PM
Thanks to trfinkenstadt all the info regarding NAT and ACL was resolve my issue I do follow what he write.
Thanks,
Dennis
07-31-2015 05:09 PM
I think you have problem with NAT because all your traffic intrusion in NAT. You must create two ACL
and deny NAT traffic to in VPN trafic.
07-31-2015 07:34 PM
You have a few issues. One is your static routes:
ip route 0.0.0.0 0.0.0.0 210.213.64.217
ip route 0.0.0.0 0.0.0.0 118.140.111.94
ip route 10.1.0.0 255.255.0.0 210.213.64.217
ip route 10.201.3.0 255.255.255.0 118.140.111.xx name Firewall
118.140.111.xx addresses appear to be on the farside of the ipsec tunnel. You probably want to remove the static default route. Also, the last route for 10.201.3.0/24 matches your vlan 30 connected subnet. It looks like it is supposed to be on the other router given the IP address ranges provided elsewhere.
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Your ACL 100 looks a little strange. I think you need to revisit this and figure out what subnets are on either side of your IPSEC tunnel and fix these. I imagine it should look something like this:
access-list 100 permit ip 10.201.3.0 0.0.0.255 10.1.0.0 0.0.255.255
Finally, you may need to address your NAT setup. Change it from using a standard ACL to an extended. Something like the following:
ip access-list extended NAT-2-INTERNET
deny 10.201.3.0 0.0.0.255 10.1.0.0 0.0.255.255
permit 10.201.3.0 0.0.0.255 any
I guessed at the subnet in the other office from other parts of your provided configuration.
HTH,
tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide