09-26-2018 03:08 AM
Hi
I have a dynamic multipoint VPN using GRE working on a 1841 and I would like to migrate it to cisco 886VA with advipservices license...
Now while ISAKMP ports are listening
c886#sh control-plane host open-ports | i ISAKMP udp *:4500 *:0 ISAKMP LISTEN udp *:500 *:0 ISAKMP LISTEN
when I tried to connect I get timeout, and if I nmap the ports from outside I get
PORT STATE SERVICE 500/udp closed isakmp 4500/udp closed sae-urn
While on 1841 I get
PORT STATE SERVICE 500/udp open|filtered isakmp 4500/udp open|filtered sae-urn
I don't have any firewall in front of the routers and not configured any rule for udp ports 500/4500 on them...
any help is appreciated...
09-26-2018 05:07 AM
Hi,
Have you configured the new router yet with ike policies, transform set and tunnel interface etc yet?
Until you see "*Sep 26 12:05:02.102: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON" message the ports won't appear open.
HTH
09-26-2018 05:28 AM
This is the last reboot I made yesterday and message for ISAKMP.
Sep 26 01:49:44 192.168.2.1 38: *Sep 25 22:43:56.475: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
All profiles and transport sets are copied from 1841 config. The weird part is that before 2 weeks I was able to login to VPN while testing it, and now I get this...
At first I thought it was a license issue but it's not
Index 1 Feature: advipservices Period left: Life time License Type: Permanent License State: Active, In Use License Count: Non-Counted License Priority: Medium Index 2 Feature: advsecurity Period left: Life time License Type: Permanent License State: Active, Not in Use License Count: Non-Counted License Priority: Medium Index 3 Feature: ios-ips-update Period left: Not Activated Period Used: 0 minute 0 second License Type: EvalRightToUse License State: Active, Not in Use, EULA not accepted License Count: Non-Counted License Priority: None
09-26-2018 05:48 AM
09-26-2018 01:49 PM
Sorry for the late reply, I had to wait, because router is on production...
I found the problem, although I can't understand it...
I have some nat translations because we run a few services and one of them is an asterisk server, so I had to put some access-lists
ip nat inside source route-map NAT interface Dialer46 overload ..... ip nat inside source static <asterisk-server> <router's statis IP> route-map SIP
route-map SIP permit 10
match ip address ASTERISK
match interface Dialer46
!
route-map NAT permit 10
match ip address PAT XVPN
match interface Dialer46
ip access-list extended ASTERISK
permit udp host 192.168.2.150 any range 5000 8000
permit udp host 192.168.2.150 any range 15000 18000
permit udp host 192.168.2.150 any range 40000 50087
permit udp host 192.168.2.150 any range 50100 60000
the problem occur when I apply
ip nat inside source static <asterisk-server> <router's statis IP> route-map SIP
if I remove the above line VPN works but I don't have voice on asterisk calls, as rtp packets are not forward to asterisk server, and I can't really understand why, is like when I apply the above rule it forward all udp traffic to asterisk server although I have certain ports...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: