Re: IPsec VPN Problem - Page 2

inderpalsogi · ‎01-17-2008

We are currently experiencing a very peculiar problem with a IPsec VPN we have setup between 2 sites using Cisco 878 routers connected to 2MB SDSL circuits. The VPN comes up perfectly fine. We can ping across the 2 networks. However, nothing else works. When I try to access a server from one network to the other, I cannot telnet to port 25, 3389 or any other port. The access-list allows full IP. I have tried Drayteks routers to do the VPN and they work i.e. I can see all the relevant ports and they are open. The problem also occurs when using GRE to creat the VPN.

Therefore the Cisco routers are blocking the ports and I cannot see the reason why.

Please can someone help asap. Configs are attached.

inderpalsogi · ‎01-22-2008

more attachments.

inderpalsogi · ‎01-22-2008

last 2 attachments.

anitachoi3 · ‎01-24-2008

Hi,

It seems that the vpn is up and running. you can access site A from site B.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 10.0.1.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/36 ms

any problem you have?

rgds

inderpalsogi · ‎01-24-2008

the problem is i have a server at 10.0.1.1 which has ports 25,3389,443,110 open on it. However, from the other site, I cannot telnet to these TCP ports from a command prompt. This tells me that the cisco routers are blocking these ports. I have implemented this vpn using draytek routers and do not have this problem. THe cisco routers seem to be blocking the ports on the VPN. Being able to just ping between the sites is no good for me.

anitachoi3 · ‎01-24-2008

Hi,

try following:

! site a and site b

! step 1

no ip nat inside source static tcp 10.0.1.1 80 interface Dialer1 80

no ip nat inside source static tcp 10.0.1.1 3389 interface Dialer1 3389

no ip nat inside source static tcp 10.0.1.1 25 interface Dialer1 25

no ip nat inside source static tcp 10.0.1.1 110 interface Dialer1 110

no ip nat inside source static tcp 10.0.1.1 443 interface Dialer1 443

no ip nat inside source static tcp 10.0.1.1 143 interface Dialer1 143

no ip nat inside source static tcp 10.0.1.1 3000 interface Dialer1 3000

!

! step 2

on 10.0.0.x PC, ping 10.0.1.1

if it works

! step 3

on 10.0.0.x PC, telnet 10.0.1.1

rgds

inderpalsogi · ‎01-24-2008

Hi

If i remove these no ip nat statements, I will not be able to access the server from the Public internet via the Internet. Is there any other way?

Regards

Indy

ajagadee · ‎01-24-2008

Thanks for all the show outputs :-))

At this point of time, I think the best course of troubleshooting is define an ACL and do a debug IP Packet on it and see where the packets are getting dropped. Also, running debugs on production box may have a lot of impact on the routers, so I would recommend that you test this during non-production hours.

For example

access-list 150 permit ip host 10.0.0.1 host 10.0.1.1

access-list 150 permit ip host 10.0.1.1 host 10.0.0.1

Router#deb ip packet detail 150

IP packet debugging is on (detailed) for access list 150

Regards,

Arul

anitachoi3 · ‎01-25-2008

Hi,

can you telnet to 10.0.1.1 from 10.0.0.x segment?

rgds

inderpalsogi · ‎01-25-2008

Hi

Unfortunately I cannot. But I have not tried your advice about removing the static NAT commands yet.

Regards

Indy

anitachoi3 · ‎01-24-2008

Hi,

if you enable the VPN, pls do not enable the static nat. It will cause some issue regarding the services via internal network but outsider (Internat) can access those services without any problem.

rgds

inderpalsogi · ‎01-24-2008

Hi

How will the outsider be able to access those services if there are no nat statements defined using the dialer interface.

anitachoi3 · ‎01-25-2008

Hi,

can you telnet to 10.0.1.1 from 10.0.0.0 segment?

rdgs

anitachoi3 · ‎01-26-2008

Hi,

can you telnet 10.0.1.1 form 10.0.0.0 segment? if yes, you may move on next step to enable outsider to access internal.

rgds