Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2986
Views
0
Helpful
0
Replies

Site to Site VPN - Cisco 1720 ADSL - Cisco 861

jack
Level 1
Level 1

‎01-25-2011 01:31 PM - edited ‎03-06-2019 03:11 PM

Hello,

I set up a site to site VPN in my lab with these two routers and it worked.  The setup looked like this:

1720 e0 ------------- switch ---------------- f4 861

The outside interfaces were e0 and f4 respectively.  Their IP addresses were mirrored in the crypto section of each router.  Clients were able to ping from the subnet behind the 1720 to the subnet behind the 861 without any trouble.  These tranmissions were encrypted using aes 256.

NOW, I took the Cisco 1720 to my house and installed an ADSL wic.  I configured the WIC to function properly with my ISP, and hosts are able to access the internet.  I am also able to access the inside of this network from the outside on the ports that I left open.  It works very well.

I left my 861 at the lab, and I put it behind an internet gateway and specified in the gateway that the 861 is DMZ'd.  I am able to ping the 861 and ssh into it from the internet.  The 1720 and 861 are both currently able to ping each other over the internet.  Here is the current diagram:

(192.168.1.1)f0 1720 Dialer0(12.12.12.220)---INTERNET-(continued on next line)

(from previous line)-INTERNET--(11.11.11.99) Gateway (10.10.10.222) f4 861 Vlan1/f0 (10.200.200.1)

Now when I ping from the 861 to the 1720 using "ping 192.168.1.1 source 10.200.200.1" I get no replies, but the VPN light turns on on the 861 router.

When I do the opposite from the 1720 to the 861 "ping 10.200.200.1 source 192.168.1.1" I also get not replies, and no VPN light turns on the 861.

Both routers can ping each other via the outermost ip addresses:  12.12.12.220 and 11.11.11.99

I must have changed something in my config that caused this.  Please help if you can!

Cisco 1720 Router:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 !lqjw#51n3lk4j1$@
enable password bigcat
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
!
!
ip domain name Router1720.com
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool dpool1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 208.67.222.222 208.67.220.220
   domain-name Router1720.com
!
ip cef
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
  protocol pppoe
!
!
!
no crypto engine accelerator
username admin secret 5 $1$12390ajlkljh230923cfhggc2hd
username dude secret 5 $1$QWaJKhebKjbebBieowbqg28b31$
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key qawkljehrqlkweufhiqa address 11.11.11.99
!
crypto isakmp client configuration group HOME
key rlwekrjwn
dns 208.67.222.222
domain Routervpn.com
pool CLIENT_ADDRESSES
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
crypto ipsec transform-set VPN1_SET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CLIENT_MAP 1
set transform-set VPN1_SET
reverse-route
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 11.11.11.99
set transform-set vpnset
match address 100
!
crypto map CLIENT_VPN client authentication list LOCAL_DB
crypto map CLIENT_VPN isakmp authorization list LOCAL_DB
crypto map CLIENT_VPN client configuration address respond
crypto map CLIENT_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface Ethernet0
ip address 192.168.10.70 255.255.255.0
ip nat outside
full-duplex
crypto map CLIENT_VPN
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username myemailaddress@domain.com password 0 blahblah
crypto map vpnset
!
ip local pool CLIENT_ADDRESSES 192.168.1.30 192.168.1.39
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.10 19987 interface Dialer1 19987
ip nat inside source static udp 192.168.1.10 1194 interface Dialer1 1194
ip nat inside source static udp 192.168.1.10 1195 interface Dialer1 1195
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http secure-server
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.200.201.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 10.200.201.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password yyyyykkkkk1
transport input ssh
!
end

CISCO 861 Router:

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router800
!
boot-start-marker
boot-end-marker
!
enable secret 5 $3%lk23lqkj05qlskjfqlw4n
enable password bigcat
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
!
ip dhcp excluded-address 10.200.200.1 10.200.200.100
!
ip dhcp pool dpool1
   import all
   network 10.200.200.0 255.255.255.0
   dns-server 208.67.222.222 208.67.220.220
   domain-name Router800.com
   default-router 10.200.200.1
!
!
ip cef
ip domain name Router800.com
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key qawkljehrqlkweufhiqa address 12.12.12.220
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 12.12.12.220
set transform-set vpnset
match address 100
!
!
interface Loopback0
ip address 10.200.201.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
ip address 10.10.10.222 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnset
!
interface Vlan1
ip address 10.200.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip dns server
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
access-list 100 permit ip 10.200.200.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.200.201.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 10.200.200.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.200.200.0 0.0.0.255 any
access-list 101 deny   ip 10.200.201.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
end

Thank you for looking at this.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card