Solved: Site to site VPN not working on Cisco 881

jsandau · ‎04-01-2015

I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) can't get to the outside internet. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a site to site set up but when I test the Site to site I get this error:

the tunnel traffic destination must be routed through the crypto map interface. The following destination(s) does not have a routing entry in the routing table
192.168.2.0

I copied the config form this router from another working cisco 881, where everything is working. The only difference is that this router needs a site to site vpn connection.

My question is how can I get internet on vlan2 and who can I fix the site to site connection.

Here is the running config:

Building configuration...

Current configuration : 12698 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1151531093
revocation-check none
rsakeypair TP-self-signed-1151531093
!
crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2011286623
revocation-check none
rsakeypair TP-self-signed-2011286623
!
!
crypto pki certificate chain TP-self-signed-1151531093
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313531 35333130 3933301E 170D3135 30343031 31363230
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
2A864886 F70D0101 05050003 8181002A 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 6935B451 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005
EB31DB3F A9BA6D70 65B70D19 D00158
quit
crypto pki certificate chain TP-self-signed-2011286623
no ip source-route
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.5.1 192.168.5.49
ip dhcp excluded-address 192.168.5.150 192.168.5.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Internet
network 192.168.5.0 255.255.255.0
default-router 192.168.5.254
dns-server 64.59.135.133 64.59.128.120
lease 0 6
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 64.59.135.133
ip name-server 64.59.128.120
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
archive
log config
hidekeys
username **** privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username **** secret 5 $1$17ST$QzJMvQnZ9Q.1y7u0rYXFa0
username **** secret 5 $1$L4W9$zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
key ****
pool VPN_IP_POOL
acl 100
include-local-lan
max-users 10
netmask 255.255.255.0
banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session. ^C
!
crypto isakmp client configuration group PALL
key ****
pool VPN_IP_POOL_PALL
acl 101
include-local-lan
max-users 1
netmask 255.255.255.0
banner ^CYou have entered the Domain

This area is restricted to PALL access only.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session. ^C
crypto isakmp profile vpn_isakmp_profile
match identity group MPE
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto isakmp profile vpn_isakmp_profile_2
match identity group PALL
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set VPN_TRANSFORM esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_PROFILE_MPE
set security-association idle-time 3600
set transform-set VPN_TRANSFORM
set isakmp-profile vpn_isakmp_profile
!
crypto ipsec profile VPN_PROFILE_PALL
set security-association idle-time 1800
set transform-set VPN_TRANSFORM
set isakmp-profile vpn_isakmp_profile_2
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to208.98.212.xx
set peer 208.98.212.xx
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
ip address 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
ip address 208.98.213.xx 255.255.255.224
ip access-group 111 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_PROFILE_MPE
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_PROFILE_PALL
!
interface Vlan1
description Control Network
ip address 192.168.125.254 255.255.255.0
ip access-group CONTROL_IN in
ip access-group CONTROL_OUT out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Internet Network
ip address 192.168.5.254 255.255.255.0
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.236.xx permanent
!
ip access-list extended CONTROL_IN
remark Control Access
remark CCP_ACL Category=17
permit udp any host 192.168.125.254 eq non500-isakmp
permit udp any host 192.168.125.254 eq isakmp
permit esp any host 192.168.125.254
permit ahp any host 192.168.125.254
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
remark VNC Access
permit tcp host 192.168.125.2 eq 25000 any
remark Email for WIN911
permit tcp host 192.168.125.2 any eq smtp
remark DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq domain
permit udp host 192.168.125.2 host 64.59.128.120 eq domain
remark Block Everything Else
deny ip any any
ip access-list extended CONTROL_OUT
remark Control Access
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VNC Access
permit tcp any host 192.168.125.2 eq 25000
remark Email for WIN911
permit tcp any eq smtp host 192.168.125.2
remark DNS replies
permit udp any eq domain host 192.168.125.2
remark Deny all other traffic
deny ip any any
ip access-list extended INTERNET_IN
remark VNC access across VLANs
permit tcp any host 192.168.125.2 eq 25000
remark Block all other control and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
remark Allow all other traffic
permit ip any any
ip access-list extended INTERNET_OUT
remark Complete Access for Internet Outgoing
permit ip any any
ip access-list extended WAN_IN
permit ip host 207.229.14.xx any
remark PERMIT ESTABLISHED TCP connections
permit tcp any eq smtp any established
remark PERMIT DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq domain any
permit udp host 64.59.128.120 eq domain any
remark PERMIT ICMP WARNING RETURNS
permit icmp any any unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any time-exceeded
deny icmp any any
permit ip any any
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
access-list 1 remark Routing out to WAN
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 23 remark SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 permit any
access-list 100 remark VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN traffic for PALL
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip host 192.168.125.2 any
access-list 111 remark CCP_ACL Category=17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 permit esp any host 208.98.213.xx
access-list 111 permit ahp any host 208.98.213.xx
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 permit esp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Disconnect IMMEDIATELY if you are not an authorized user
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
password ****
transport input telnet ssh
transport output all
line vty 5 15
access-class 160 in
password ****
transport input all
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end

Thanks.

David Johan Castro Fernandez · ‎04-06-2015

It seems that DNS is failing, because it is indeed getting to internet but it does not work when resolving DNS to internet.

Go ahead and try to ping this 157.166.226.25, and then on the browser http://157.166.226.25/, that is CNN.com. Lets try with those. Also just in case set up a DNS on your router.

- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

Also disable any ZBF just in case.

David Castro,

Regards,

View solution in original post

David Johan Castro Fernandez · ‎04-02-2015

Hello,

I saw the configuration regarding the issue of the internet:

route-map SDM_RMAP_1 permit 1
match ip address 103

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip host 192.168.125.2 any

interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address

interface Vlan2
description Internet Network
ip address 192.168.5.254 255.255.255.0
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat inside
ip virtual-reassembly in

ip access-list extended INTERNET_IN
remark VNC access across VLANs
permit tcp any host 192.168.125.2 eq 25000
remark Block all other control and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
remark Allow all other traffic
permit ip any any

ip access-list extended INTERNET_OUT
remark Complete Access for Internet Outgoing
permit ip any any

- Could you please, place the "ip nat inside" on the physical interfaces that have been assigned with the VLAN 2?

- Also let's remove temporarily the access groups just in case.

- Try to access internet and make sure the private is being translated by running--> show ip nat translation

For the L2L,

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to208.98.212.xx
set peer 208.98.212.xx
set transform-set ESP-3DES-SHA
match address 102

access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255

I reviewed the configuration and everything looks fine. You may run debugs on this router to see if phase 1 and phase 2 are completed.

Debugs:

debug crypto isakmp

debug crypto ipsec

Show commands to check the status of the L2L:

- show crypto isakmp sa

- show crypto ipsec sa

You may Attach those results with your analysis so we can see what may be going on.

Please proceed to rate and mark as correct this Post!

David Castro,

Regards

jsandau · ‎04-06-2015

I deleted the site to site vpn and recreated it, and now it works, so that solves that problem. But when I try to assign IP Nat inside to fasterthernet 2 and Fastethernet 3 I get this error:

Invalid input detected at ^ marker. the ^ is at the nat in the command "ip nat inside"

David Johan Castro Fernandez · ‎04-06-2015

Hi,

I see, are you able to see the IP NAT translations? when trying to go from any of those interfaces to internet? Try first using ICMP to 8.8.8.8 and the browsing, do any of those work?

Make sure there is not a WebSense doing any filtering to the traffic.

David Castro,

Regards

jsandau · ‎04-06-2015

This is what I get when I run show ip nat translation:

Pro Inside global Inside local Outside local Outside global
udp 208.98.213.xx:49514 192.168.5.50:49514 64.59.114.xx:53 64.59.114.xx:53
udp 208.98.213.xx:49514 192.168.5.50:49514 64.59.113.xx:53 64.59.113.xx:53
udp 208.98.213.xx:58425 192.168.5.50:58425 64.59.114.xx:53 64.59.114.xx:53
udp 208.98.213.xx:58425 192.168.5.50:58425 64.59.113.xx:53 64.59.113.xx:53
udp 208.98.213.xx:64414 192.168.5.50:64414 64.59.114.xx:53 64.59.114.xx:53
udp 208.98.213.xx:64414 192.168.5.50:64414 64.59.113.xx:53 64.59.113.xx:53
tcp 208.98.213.xx:25000 192.168.125.2:25000 --- ---

from a computer that is hooked up to the 192.168.5.xx subnet I can ping 8.8.8.8 but can't ping google.com. This also applies to the Cisco 881 itself. I can ping 8.8.8.8 form the router but when I try to ping google.com I get : "Unrecognized host or address, or protocol not running."

there is no websense or any other such filter in place.

David Johan Castro Fernandez · ‎04-06-2015

It seems that DNS is failing, because it is indeed getting to internet but it does not work when resolving DNS to internet.

Go ahead and try to ping this 157.166.226.25, and then on the browser http://157.166.226.25/, that is CNN.com. Lets try with those. Also just in case set up a DNS on your router.

- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

Also disable any ZBF just in case.

David Castro,

Regards,

jsandau · ‎04-07-2015

I figured it out. DNS servers were configured, but DNS itself wasn't enabled on the router. So one I added the command ip DNS lookup everything worked.

Thanks for your help.

David Johan Castro Fernandez · ‎04-07-2015

It was a pleasure to help you on this, now you have the VPN up and the internet connection is working as well. Could you proceed to rate all of the helpful Posts?

If you have any questions you can let me know!

David Castro,

Regards,