08-06-2019 06:57 AM
Hi good day
I want to ask you a favor if you can help me regarding the vpn connection when I ping the gateway 181.53.244.1 I have connection but between the lan there is no connection that I can be doing wrong my router is a cisco 1100 series thanks for your help
!
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key c4l1wer address 181.53.244.1
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.53.244.1
set transform-set TS-VPN
match address VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.70 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.66
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended vpn
!
access-list 13 permit 192.168.13.0 0.0.0.255
Solved! Go to Solution.
08-06-2019 07:07 AM
Hello unidadso,
you need to avoid to NAT traffic from LAN to remote LAN
your NAT configuration is using a standard ACL so it is triggered even for VPN related traffic.
>>
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
You should use an extended ACL with a deny statement for LAN to LAN traffic
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 .0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
route-map NAT permit 10
match ip address 113
match interface gi0/0
no ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
This should fix your issues
Hope to help
Giuseppe
08-06-2019 10:26 AM
do not let delete the nat from the interface
ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/$
%Dynamic mapping in use, cannot remove
ciscuso(config)
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.70 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.66
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/$
%Dynamic mapping in use, cannot remove
ciscuso(config)#
08-06-2019 11:10 AM
Hello,
remove the inside NAT statement:
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
--> no ip nat inside
negotiation auto
Then clear the NAT translations:
ciscouso#clear ip translation *
Then remove the NAT statement:
ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/1
and replace it with the new NAT statement:
ciscuso(config)ip nat inside source list 113 interface gigabitEthernet 0/0/1
and add the 'ip nat inside' back on the GigabitEthernet0/0/1 interface...
08-06-2019 12:06 PM
08-06-2019 12:21 PM - edited 08-06-2019 02:25 PM
doing the suggested configuration I still have no connection between lan
ciscuso#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
ciscuso#show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.70
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.53.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 181.143.239.70, remote crypto endpt.: 181.53.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.53.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 181.143.239.70, remote crypto endpt.: 181.53.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ciscuso#
ciscuso#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
ciscuso#ping 181.53.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.53.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms
ciscuso#ping 181.53.244.106
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.53.244.106, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ciscuso#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.53.244.1 port 500
IPSEC FLOW: deny ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: (unknown)
Session status: DOWN-NEGOTIATING
Peer: 181.52.244.105 port 500
Session ID: 0
IKEv1 SA: local 181.143.239.70/500 remote 181.53.244.106/500 Inactive
08-07-2019 01:07 PM
08-07-2019 01:49 PM
Hello,
add the lines in bold to your configuration and check if that makes a difference. Also remove the route map and use the list in your NAT statement:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
reverse-route remote peer 181.52.244.1
match address VPN
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end
08-07-2019 04:49 PM - edited 08-07-2019 04:50 PM
hola
nada mi amigo hice la configuracion que me propones aun sigue sin tener conexion con la lan
08-07-2019 07:22 PM
08-07-2019 11:08 PM
The most recent debug output creates additional confusion. What the debug shows is an attempt to negotiate a vpn from address 203.91.118.180. You do not have anything in your configuration about this device and so the negotiation fails. Do you have any idea what this device is and why it is attempting to negotiate vpn with your router?
I will attempt to explain the problem again since you do not seem to understand my previous effort to identify the problem. Your 1100 router is using the wrong IP address for its remote vpn peer. It is using 181.52.244.1 and it should be using 181.52.244.105. I think perhaps you are confused by some terminology. You have been saying that 181.52.244.1 is the gateway and for the rv042g that is correct. But that is not the address that your 1100 should peer with. Perhaps the confusion starts from the way that the rv042g describes the vpn as gateway to gateway. In that context gateway is equivalent to router and it is saying that the vpn is router to router or perhaps that it is site to site. (the alternative vpn would be client to router vpn for remote access vpn) If it were truly gateway to gateway then it would be between 181.52.244.1 and 181.143.239.65.
Please change the address used in the 1100 config to 181.52.244.105 and let us know if the behavior changes.
HTH
Rick
08-08-2019 12:12 AM
Hello,
post a screenshot of the VPN summary page on the RV042 (VPN --> Summary), as shown on page 126 of the attached admin guide...
08-08-2019 04:49 AM
08-08-2019 08:23 AM
The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.
HTH
Rick
08-08-2019 05:10 PM - edited 08-08-2019 07:57 PM
@Richard Burts wrote:The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.
HTH
Rick
@Richard Burts wrote:The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.
HTH
Rick
Hi good day
in summary I made the suggested configuration and it was totally without access to the lan and to the internet I sent the changed configuration
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN-10
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 113 permit ip 192.168.5.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
Router>enable
Router#ping 192.168.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!
Success rate is 0 percent (0/5)
Router#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/49/84 ms
Router#ping 181.52.244.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.105, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#ping 182.165.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 182.165.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#deb
Router#debug is
Router#debug cry
Router#debug crypto is
Router#debug crypto isakmp
Crypto ISAKMP debugging is on
Router#show cry
Router#show crypto isa
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Router#show crypto ipse
Router#show crypto ipsec sa
No SAs found
Router#show crypto se
Router#show crypto session
08-09-2019 01:32 AM
Hello,
your access lists are completely wrong again. I am not sure why you keep changing them. They need to be:
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide