Solved: Re: Cisco 877 + Site-to-Site VPN

cisco1222 · ‎11-12-2010

Hi,

I'm new im this forum.
I Implemented an Site-to-Site VPN With 2 Ciscos 877.

SITE A:

Public IP Adreess: Static
Internal IP Adrees: 192.168.0.XXX
Mask: 255.255.255.0

SITE B:

Public IP Adreess: Dynamic
Internal IP Adress: 192.168.2.XXX
Mask: 255.255.255.0

I manage to ping on both sides, but i cant access files shares, and could rdp on any server on site A, by Internal IP.

In attach, is the SITE A and SITE B startup configs.

Could please some one help me?

praprama · ‎11-15-2010

Hi Marcos,

Really glad to know the issue is resolved. there is no need to apologise. Please mark this post as answered if there is nothing more.

Rregards,

Prapanch

View solution in original post

cisco1222 · ‎11-12-2010

What i'm doing wrong for this VPN dosent work correctly?

Thanks,

MP

praprama · ‎11-12-2010

Hi Marcos,

Your config seems ok. From where to where are you trying to RDP? For the static NATs you have configured on either side, please add the route map command the end and see if it helps:

ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494 route-map SDM_RMAP_1

.

Please change the static to the above format on Site A and Site B. Let me know how it goes!!

Thanks and Regards,

Prapanch

cisco1222 · ‎11-13-2010

Hi,

Thanks for your reply.

On SITE A ( Head Office ), i have 2 Server's: 192.168.0.1 | 192.168.0.2. The first is a Windows 2003 AD|DNS|DHCP|File Server. The Second is a Application Server, that i have to do RDP to it.

Sou, i'm trying to RDP From SITE B ( Branch Office ) to SITE A.

Ex:

From: 192.168.2.1 TO 192.168.0.2 : 3389

I cant do RDP from SITE B to SITE A.

Another interesting thing, from SITEA to SITEB or SITEB to SITEA i cannot telnet the internal interfaces off the router's.

Ex:

From: 192.168.0.254

leiria#telnet 192.168.2.254
Trying 192.168.2.254 ...
% Connection timed out; remote host not responding

From: 192.168.2.254

bpn-matosinhos#telnet 192.168.0.254
Trying 192.168.0.254 ...
% Connection timed out; remote host not responding

From what i understand, you are asking me to put the ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494 route-map SDM_RMAP_1 on SITEB, correc? Do i have to put some nat in the SITEA?

Sincerely,

Marcos Pinto

praprama · ‎11-13-2010

Hi Marcos,

So here's your current static NAT config on both sites:

SITE A:

======

ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80

SITE B:

======

ip nat inside source static tcp 192.168.2.254 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.254 22 interface Dialer0 22

You will have to remove the above statics and modify them to look like below:

SITE A:

======

ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494 route-map SDM_RMAP_1
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389 route-map SDM_RMAP_1
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80 route-map SDM_RMAP_1

SITE B:

======

ip nat inside source static tcp 192.168.2.254 80 interface Dialer0 80 route-map SDM_RMAP_1
ip nat inside source static tcp 192.168.2.254 443 interface Dialer0 443 route-map SDM_RMAP_1
ip nat inside source static tcp 192.168.2.254 22 interface Dialer0 22 route-map SDM_RMAP_1

Please note the route-map that we are adding at the end of each "static". This is needed because we do not want traffic to be passed through VPN to be NATed. Hope that clears things out.

Let me know how it goes!!

Thanks and Regards,

Prapanch

cisco1222 · ‎11-15-2010

Hi Prapanch,

Thanks for your reply.

In SITE A i tried to do the following command, and it gave me the following message:

leiria(config)#ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494 route-map SDM_RMAP_1
^
% Invalid input detected at '^' marker.

On SITE B the same:

bpn-matosinhos(config)#ip nat inside source static tcp 192.168.2.254 80 interface Dialer0 80 route-map SDM_RMAP_1
^
% Invalid input detected at '^' marker.

Now i'm stuck on this, i can understand why this command cannot work...

Coul you please help me again?

Sincerely,

Marcos Pinto

praprama · ‎11-15-2010

Hi,

I am not sure why that is the case. What version are you running on the routers? Also, try using "?" and check the options as you type the command out.

Another thing you could try is to use the IP address of the Dialer0 interface instead of the "interface Dialer0" keyword and see if the command is taken then. Let me know how it goes!!

Regards,

Prapanch

cisco1222 · ‎11-15-2010

Hi,

I just have Statip Public IP on SITE A, on SITE B is an ADSL Dynamic IP Connection.

So, in SITE A, I do the Following Comand, and did Work:

leiria(config)#ip nat inside source static tcp 192.168.0.1 80 83.240.167.218 80 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias    Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map   Specify route-map
vrf         Specify vrf

leiria(config)#ip nat inside source static tcp 192.168.0.1 80 83.240.167.218 80 route-map SDM_RMPA_1

-- This Command work correctly, and I correct them for the other 2 ip nat's that i have.

In SITE B i delete all NAT, except this one:

bpn-matosinhos#ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

SITE A IOS: 12.4(15)T7

SITE B IOS: 12.4(15)T13

I'm really stuck on this one.

One question, VPN is OK, anda I could Ping on both SITES all the Active IP's, but on CLI interface ( ssh ), of each router, i cannot do TELNET, ex: From SITE A i cannot telnet 192.168.2.254, and from SITE B i cannot telnet 192.168.0.254. Is there any explanation for that? The VPN is active anda i ping this interfaces.

It seems to me, that only ICMP is active.

Another thing, im my access list, i only have permit ip. Is this correct? Do i need to permit something else, ligue TCP, ou UDP for these networks?

I could'n figured out, what ist the problem of my conf.

Please, help me

Sincerely,

Marcos Pinto

praprama · ‎11-15-2010

Hi Marcos,

The issue according to me seems to be with the statics. I do not hav a lot of experience with routers and NAT commands on them and hence i am not sure of a way to work around this limitation.

Let's see if someone can help us out here or please try posting a question about this in the appropriate discussion forum and see if you get a response!!

Also, what about access to the servers on the SiteA? Is it working now from clients on the Site B?

regards,R

Prapanch

cisco1222 · ‎11-15-2010

Hi,

From SITE B i could not access anithing of the SITE A. The only thing that i can do is PING the active IP's on SITE A from SITE B. Nothing else.

I', really stuck on this ...

praprama · ‎11-15-2010

Hi,

So from SiteB, what happens when you try opening a connection "telnet 192.168.0.2 3389", does it just time out? Please post the output of "show ip nat trans | in 192.168.0.2" from both the routers when trying this connection.

Regards,

Prapanch

cisco1222 · ‎11-15-2010

Hi,

So from SITE A:

leiria#show ip nat trans | in 192.168.0.2
tcp 83.240.167.218:3389   192.168.0.2:3389      2.82.214.85:3143      2.82.214.85:3143
tcp 83.240.167.218:3389   192.168.0.2:3389      2.82.214.85:3267      2.82.214.85:3267
tcp 83.240.167.218:3389   192.168.0.2:3389      2.82.214.85:3480      2.82.214.85:3480
tcp 83.240.167.218:3389   192.168.0.2:3389      83.240.181.168:1538   83.240.181.168:1538
tcp 83.240.167.218:3389   192.168.0.2:3389      83.240.181.168:1703   83.240.181.168:1703
tcp 83.240.167.218:3389   192.168.0.2:3389      83.240.181.168:4156   83.240.181.168:4156
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15509    212.45.52.30:15509
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15576    212.45.52.30:15576
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15648    212.45.52.30:15648
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15716    212.45.52.30:15716
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15783    212.45.52.30:15783
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15851    212.45.52.30:15851
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15919    212.45.52.30:15919
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:15987    212.45.52.30:15987
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16050    212.45.52.30:16050
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16110    212.45.52.30:16110
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16178    212.45.52.30:16178
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16246    212.45.52.30:16246
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16305    212.45.52.30:16305
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16371    212.45.52.30:16371
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16435    212.45.52.30:16435
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16497    212.45.52.30:16497
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16564    212.45.52.30:16564
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16627    212.45.52.30:16627
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16693    212.45.52.30:16693
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16763    212.45.52.30:16763
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16826    212.45.52.30:16826
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16883    212.45.52.30:16883
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:16952    212.45.52.30:16952
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17014    212.45.52.30:17014
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17077    212.45.52.30:17077
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17135    212.45.52.30:17135
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17204    212.45.52.30:17204
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17270    212.45.52.30:17270
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17336    212.45.52.30:17336
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17402    212.45.52.30:17402
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17466    212.45.52.30:17466
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17534    212.45.52.30:17534
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17592    212.45.52.30:17592
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17664    212.45.52.30:17664
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17727    212.45.52.30:17727
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17797    212.45.52.30:17797
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17859    212.45.52.30:17859
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:17938    212.45.52.30:17938
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18020    212.45.52.30:18020
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18085    212.45.52.30:18085
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18148    212.45.52.30:18148
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18218    212.45.52.30:18218
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18293    212.45.52.30:18293
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18349    212.45.52.30:18349
tcp 83.240.167.218:3389   192.168.0.2:3389      212.45.52.30:18425    212.45.52.30:18425
tcp 83.240.167.218:1091   192.168.0.20:1091     64.4.61.134:1863      64.4.61.134:1863
tcp 83.240.167.218:1099   192.168.0.21:1099     64.4.34.84:1863       64.4.34.84:1863
tcp 83.240.167.218:2503   192.168.0.21:2503     94.127.74.120:80      94.127.74.120:80
tcp 83.240.167.218:2503   192.168.0.21:2503     192.0.2.43:9518       192.0.2.43:9518
tcp 83.240.167.218:1101   192.168.0.23:1101     207.46.125.55:1863    207.46.125.55:1863
tcp 83.240.167.218:1156   192.168.0.23:1156     193.53.22.38:443      193.53.22.38:443
tcp 83.240.167.218:1211   192.168.0.23:1211     193.53.22.38:443      193.53.22.38:443
tcp 83.240.167.218:1212   192.168.0.23:1212     193.53.22.38:80       193.53.22.38:80
tcp 83.240.167.218:1213   192.168.0.23:1213     193.53.22.38:80       193.53.22.38:80
tcp 83.240.167.218:1214   192.168.0.23:1214     193.53.22.38:443      193.53.22.38:443
tcp 83.240.167.218:2733   192.168.0.27:2733     64.4.61.85:1863       64.4.61.85:1863
tcp 83.240.167.218:4758   192.168.0.27:4758     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4760   192.168.0.27:4760     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4761   192.168.0.27:4761     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4762   192.168.0.27:4762     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4763   192.168.0.27:4763     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4764   192.168.0.27:4764     195.200.38.136:80     195.200.38.136:80
tcp 83.240.167.218:4765   192.168.0.27:4765     195.200.38.136:80     195.200.38.136:80
udp 83.240.167.218:123    192.168.0.250:123     81.92.212.46:123      81.92.212.46:123
udp 83.240.167.218:123    192.168.0.250:123     84.90.94.144:123      84.90.94.144:123
udp 83.240.167.218:123    192.168.0.250:123     195.22.17.7:123       195.22.17.7:123
tcp 83.240.167.218:1033   192.168.0.250:1174    82.102.10.221:25      82.102.10.221:25
tcp 83.240.167.218:1032   192.168.0.250:1723    82.102.10.221:25      82.102.10.221:25
tcp 83.240.167.218:1059   192.168.0.250:59271   82.102.10.221:25      82.102.10.221:25
tcp 83.240.167.218:1075   192.168.0.250:59344   82.102.10.221:25      82.102.10.221:25
tcp 83.240.167.218:3389   192.168.0.2:3389      ---                   ---

When a try to telnet from SITE B to SITE A, it gave me the following message ( i'm doing from a XP Machine IP: 192.168.2.10 ):

C:\Documents and Settings\Admin>telnet 192.168.0.2 3389
A ligar a 192.168.0.2...Não foi possível abrir uma para o anfitrião, na porta 33
89: A ligação falhou

From the same machine ( IP: 192.168.2.10 ) i do a telnet 192.168.0.254 with sucess, i can manage to work in the Router's CLI from SITE A.

I dont understand is why i cannot access file shares on server's 192.168.0.1|192.168.0.2 from SITE B so SITE A.

praprama · ‎11-15-2010

Hi,

I do not see 192.168.2.10 in the output below. Was this taken when you tried the telnet? Also, please post the message you get in english. dint quite understand what it meant there.

regards,

prapanch

cisco1222 · ‎11-15-2010

Hi,

It's working. The problem is not from the VPN Cisco's 877.

In this infraestructure, there is an Untagle Bridge Equipament, there is blocking all the comunication's, ecept ICMP, for what i understud.

I desconect the untangle machine and now all is working just fine.

Prapanch, thank you very very mutch, and realy sorry for all your time spend on me problem. The fact is that i didn't know that there is an Untangle machine in this infra-estruture, and there so, saw the problem reside in the Cisco VPN.

Mutch muth thanks, for all your effort to solve my probem.

Once again, i'm sorry for all the inconvenience,

Sincerely

Marcos Pinto

praprama · ‎11-15-2010

Hi Marcos,

Really glad to know the issue is resolved. there is no need to apologise. Please mark this post as answered if there is nothing more.

Rregards,

Prapanch