You have configured two ip

ross_crawford · ‎12-19-2016

Hi All,

Just joined and I'm quite new to Cisco so this is probably an easy one...I hope.

I've setup a site to site VPN between a Cisco 800 router and Draytek 2960, the tunnel is up and active however I cannot ping/access any resources from either end. The internal subnet on the Cisco side is 172.18.0.0/16 and the Draytek side is 172.16.0.0/16.

Here is my config, very basic so hoping it's a simple fix. I need to brush up on my Cisco ACL/NAT configuration!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address (External IP of Draytek)
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer (External IP of Draytek)
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 40
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 172.18.10.250 255.255.0.0
ip access-group OUTBOUND in
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
description WAN
ip address (External IP) 255.255.255.252
ip access-group INBOUND in
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Vlan40 overload
ip nat inside source list NAT interface Vlan40 overload
ip nat inside source static tcp 172.18.10.30 25 interface Vlan40 25
ip nat inside source static tcp 172.18.10.31 25 87.242.146.165 25 extendable
ip nat inside source static 172.18.10.11 87.242.146.166
ip route 0.0.0.0 0.0.0.0 (ISP IP)

!
ip access-list extended INBOUND
permit udp host 88.215.55.97 any eq 5060
permit tcp host 88.215.55.97 any eq 5060
deny udp any any eq 5060
deny tcp any any eq 5060
permit ip any any
ip access-list extended NAT
permit ip any any
ip access-list extended OUTBOUND
permit ip any host 208.67.222.222
permit ip any host 208.67.220.220
deny udp any any eq domain
deny tcp any any eq domain
permit ip any any
permit ip host 172.18.10.11 any
ip access-list extended VPN-TRAFFIC
permit ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
access-list 100 remark No-NAT-to-THS
access-list 100 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 172.18.0.0 0.0.255.255 any
access-list 100 remark

I didn't configure this router only the VPN so any help would be much appreciated.

Thanks

Ross

Dennis Mink · ‎12-19-2016

can you add:

ip access-list extended VPN-TRAFFIC
permit ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 log

or even

permit ip host A host B log

where A and B are the IP addresses you ping between, and see if you log count goes up. then at least you know your ACL correct.

also can you provide a sh crypto isakmp sa

Please remember to rate useful posts, by clicking on the stars below.

Richard Burts · ‎12-19-2016

You have configured two ip nat inside statements. The first one has an exemption for your VPN traffic. But the second one uses this access list

ip access-list extended NAT
permit ip any any

I am not sure why you have both ip nat inside statements and suggest that you remove the one that uses this access list. Try that and let us know if the behavior changes.

HTH

Rick

HTH

Rick

ross_crawford · ‎12-19-2016

Thanks Richard, I wasn't about both...The one you are asking to remove was configured previously before I configured the VPN.

I'll remove it and see what happens, is the access list 100 correct to disable NAT between remote sites but allow all else to NAT externally? Or should all of this be in an extended ACL?

I also cannot access from the Draytek to the Cisco, does anything need to be configured for this or should it work?

I'll try your suggestion first. Thanks Dennis I will also try what you have suggested.

Richard Burts · ‎12-19-2016

Ross

It is good to know that this access list was configured before you worked on the VPN. I hope that you will remove it and then let us know if the behavior changes.

Yes the access list 100 would prevent translation of the VPN traffic between remote sites and would allow translation of other traffic from your inside subnet to the outside destinations. Access list 100 is an extended access list.

We do not know enough about the configuration of the Dratek to be able to give suggestions about it.

HTH

Rick

HTH

Rick

ross_crawford · ‎12-20-2016

Thanks Richard, your suggestion half did it. Removing the IP any any ACL allowed the VPN traffic to pass, however internet would then fail. I could only get one or the other to work which was odd.

To resolve I did the following:

ip nat inside source list NAT interface Vlan40 overload

ip access-list extended NAT
deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip any any

So removed the access list 100 completely and added the above, it then worked.

I do have another issue though I cannot access DNS from the Cisco side to the Draytek side, but I can from the Draytek to the Cisco, I can telnet 53 to the Cisco side but from the Cisco side this fails...everything else works, RDP, HTTP etc it's just DNS.

EDIT: The above is now solved:

ip access-list extended OUTBOUND
permit ip any host 208.67.222.222
permit ip any host 208.67.220.220
deny udp any any eq domain - removed
deny tcp any any eq domain - removed
permit ip any any

Thanks

Ross

Richard Burts · ‎12-21-2016

Ross

Thanks for posting back to the forum to let us know that you now have this working. I am glad that our suggestions pointed you in the right direction.

HTH

Rick

HTH

Rick

Cisco 800 to Draytek ipsec vpn