Solved: Site to Site VPN is up but no traffic gets through.

Flyberius · ‎07-29-2012

Hi there. I'm sure this comes up a lot but I am tearing my hear out and don't have the required cisco skills to troubleshoot this problem. I am hoping someone here may spot what is wrong in my configuration.

Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).

The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.

Just so you know, the 1841 device already has a functioning VPN tunnel to another site, in case that confuses anyone. The peers I am concerned about are 141.0.59.x and 109.238.78.x.

Many thanks.

Javier Portuguez · ‎07-30-2012

Hi Haydin,

You have the following:

ip access-list extended port-forwards

deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

Not sure why you have the whole network in there with the any keyword, you better create a static one to one translation.

Could you please take it out and give it a try?

ip access-list extended port-forwards

no permit ip 192.168.1.0 0.0.0.255 any

Thanks in advance.

View solution in original post

Flyberius · ‎07-29-2012

Actually it may be working. I might be being a bit dense. I didn't consider which address my router was pinging from when I tested this. Fingers crossed it looks like its actually working.

Julio Carvajal · ‎07-29-2012

Hello Haydn,

I just went through both configuations and they both look perfect ( Crypto ACLs, NAT, IPSEC parameters,Isakmp parameters,etc)

Let me know if this is indeed working or if you need some assistance as I will require you to run some debugs,

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Javier Portuguez · ‎07-29-2012

Hi there

I agree with Julio (5 stars), so far so good.

Let us know if you run into any issues.

Rate any post you find useful.

Flyberius · ‎07-29-2012

Thanks for the replies.

Seems there may still be some issues. Once this VPN connection is created, machines on the local subnets loose their ability to comunicate with the internet. It seems they are only able to comunicate over the local subnet and the site to site VPN.

Very odd.

I will have a chance to test it properly tomorrow, once I am onsite.

Julio Carvajal · ‎07-29-2012

Hello Haydn,

On witch router does that happen ( users cannot communicate across the internet) so we can focus and work on that?

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Flyberius · ‎07-30-2012

It appears to be happening on both the routers. I am going to double check this later tonight. Unfortunatly, as one of the offices is live, I cannot play around with this during the day.

Many thanks again for your help.

Fabio Francisco · ‎07-29-2012

Hey,

Your problem may be related to your routing table.

Looking at the config of the router 1811 you have "ip route 0.0.0.0 0.0.0.0 141.0.59.x" which is correct for internet traffic.

Try pinging a public IP using the internal interface as source like:"ping 8.8.8.8 source Fastethernet1" and see if it works.

if it isn't the routing I guess it will be an access list that you created while creating the VPN.

HTH,

Fabio

Javier Portuguez · ‎07-30-2012

Hi,

I agree with Fabio.

The routing portion seems to be OK, unless I am overlooking at something it should be working fine.

Please try it and let me know.

Flyberius · ‎07-30-2012

Interestingly I tried the site to site again today and the 1811 device could quite happily communicate over the VPN and over the WAN. Only the 1841 was having problems. Could you look at the configuration of the routing on the 1841 device. I don't actually configure this one (was originally managed by the ISP) and it all looks rather messy, Unfortunately the ISP now refuse to touch the thing which is rather nightmarish.

Javier Portuguez · ‎07-30-2012

Hi Haydin,

You have the following:

ip access-list extended port-forwards

deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

Not sure why you have the whole network in there with the any keyword, you better create a static one to one translation.

Could you please take it out and give it a try?

ip access-list extended port-forwards

no permit ip 192.168.1.0 0.0.0.255 any

Thanks in advance.

Flyberius · ‎07-30-2012

You sir are a gentleman and a scholar. I think I want to have your babies.

I will mark yours as the answer in a few minutes. Once I know I'm not seeing things.

Javier Portuguez · ‎07-30-2012

Wow what a nice comment!!! :$ hahaha

Feel free to count on us at any time ;-)

Take care