Solved: Re: Ospf issues or what else?

Galileo59 · ‎05-29-2022

Hello,

I have this network exercise but I found several problems, I can not access to HTTPS and FTP server, when I ping it blocks at the gateway. I need also to create a VPN between R1 and R4, I never did that before.. Any help much appreciated!

I attached the pkt file and my conf in a zip file

Georg Pauwen · ‎05-30-2022

Hello,

I opened your file, it contains many mistakes. The NAT configuration is incomplete, and the VPN is configured wrong. Use the file attached, which is a revised version of the one I sent you earlier, including the NAT part.

View solution in original post

Flavio Miranda · ‎05-29-2022

Hi

You did very will on the config. You made a simple mistake when configuring the servers. You put them ip address 10.20.0.1/30 and on the gateway you put 10.20.1.254/30 which means that the Server and the gateway was not on the same network.

I changed the server´s IP address to 10.20.0.253 and 10.25.0.253 and it is working.

Galileo59 · ‎05-29-2022

Thx a lot Flavio! How did I miss this? I'll focus more ...

Galileo59 · ‎05-29-2022

My gateway was 10.20.0.254 and 10.25.0.254

Georg Pauwen · ‎05-30-2022

Hello,

in order to keep the configurations consistent, you can also change the subnet masks of the Vlan subinterfaces on R4 to /24 addresses. That would make sense in the 'real' world also. Then you only need to change the subnet mask on the hosts, and keep the original IP addresses.

For the VPN, you cannot use the 2811 routers, as those don't support IPSEC in Packet Tracer. You need to use 4331 routers. In the attached file, I replaced the 2811 routers with 4331 routers. The configurations are identical except obviously for the VPN part (highlighted in bold). Attached the revised file including the VPN.

R1#sh run
Building configuration...

Current configuration : 1587 bytes
!
version 16.6.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 10.3.0.1
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
set peer 10.3.0.1
set transform-set TS 
match address VPN_ACL
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.50
encapsulation dot1Q 50
ip address 172.16.50.254 255.255.255.0
!
interface GigabitEthernet0/0/0.55
encapsulation dot1Q 55
ip address 172.16.55.254 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
redistribute static subnets 
redistribute connected subnets 
network 10.1.0.0 0.0.0.3 area 1
!
ip classless
!
ip flow-export version 9
!
ip access-list extended VPN_ACL
permit ip 172.16.50.0 0.0.0.255 10.20.0.0 0.0.0.255
permit ip 172.16.55.0 0.0.0.255 10.20.0.0 0.0.0.255
permit ip 172.16.50.0 0.0.0.255 10.25.0.0 0.0.0.255
permit ip 172.16.55.0 0.0.0.255 10.25.0.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end




R4#sh run
Building configuration...

Current configuration : 1536 bytes
!
version 16.6.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R4
!
ip cef
no ipv6 cef
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 10.1.0.1
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
set peer 10.1.0.1
set transform-set TS 
match address VPN_ACL
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address 10.20.0.254 255.255.255.0
!
interface GigabitEthernet0/0/0.25
encapsulation dot1Q 25
ip address 10.25.0.254 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 10.3.0.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
redistribute static subnets 
redistribute connected subnets 
network 10.3.0.0 0.0.0.3 area 2
!
ip classless
!
ip flow-export version 9
!
ip access-list extended VPN_ACL
permit ip 10.20.0.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip 10.25.0.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip 10.20.0.0 0.0.0.255 172.16.55.0 0.0.0.255
permit ip 10.25.0.0 0.0.0.255 172.16.55.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Galileo59 · ‎05-30-2022

Hello Georges,

Still problems, I can not ping vpn from 172....thx for your help

Georg Pauwen · ‎05-30-2022

Hello,

I can ping from e.g. 172.16.50.1 to 10.20.0.1 and 10.25.0.1, and vice versa. From which source IP address to which destination IP address can you not ping ?

Galileo59 · ‎05-30-2022

I can't ping from 172.16.50.1 to 10.20.0.1 or 10.25.0.1 but I can ping from 192.168... to 10.20.0.1 or 10.25.0.1 .

I need to do the opposite

I can't ping from 172.... to 8.8.8.8 but i can from 192.168..... I have noclues...

Galileo59 · ‎05-30-2022

Could you check my conf? I don't see where is the mistake

172.16 need to access 10.20 and 10.25

10.20 and 10.25 can not access to other networks nor 8.8.8.8 except 172.16 through vpn

192 and 172 need to access to Internet 8.8.8.8

Georg Pauwen · ‎05-30-2022

Hello,

ping works here (see image attached). I'll check your file...

Galileo59 · ‎05-30-2022

Hello

thx for your help cause I'm really confused, I think it has to do with the ACL but I 'm mixing it so badly..

Georg Pauwen · ‎05-30-2022

The ACL was one of the things that were wrong. Did you open my file ? It contains the correct configs...

Georg Pauwen · ‎05-30-2022

Hello,

I opened your file, it contains many mistakes. The NAT configuration is incomplete, and the VPN is configured wrong. Use the file attached, which is a revised version of the one I sent you earlier, including the NAT part.

Galileo59 · ‎05-30-2022

Dear Georg,

Thank you so much, I made quite significant errors indeed, I need to practice more ACL and Nat rules, it is not in me yet..

Best regards,

Georg Pauwen · ‎05-30-2022

Hello,

practice makes perfect, you are definitely on the right track. The VPN stuff can be a bit confusing, especially in combination with NAT, but once you figure it out, it all starts to make sense...