09-19-2012 01:26 AM - edited 02-21-2020 06:20 PM
I'm bashing my head against the wall for over 2 weeks now. I cannot get this figured out.
We have 2 branches and a server with an isp. currently we are connecting to our isp via an ipsec vpn from our head office. later we will add the branch 1.
The problem is this. My vpn is up, I can ping my local ip addresses, my tunnel IP, the remote tunnel interface, the remote vlan or gateway, but I cannot ping anything past that. From the branch to the isp I can ping the router in the isp dc and the server just fine. but I cannot ping or talk to anything at the office from the isp side. and as a result I cannot communicate with any host on LAN's. Can someone please help me out with this?
Can I dump the configs of the two routers here for someone to have a look at?
Thanks in advance.
Solved! Go to Solution.
09-19-2012 01:45 AM
NAT exemption on the server end needs to include the following deny statement:
ip access-list extended NAT
5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127
Then clear the ip nat translation before you perform the test again.
09-19-2012 01:29 AM
Yes, pls post the configs of the 2 routers and will take a look.
Pls also share the output of:
show cry isa sa
show cry ipsec sa
from both routers. Thanks.
09-19-2012 01:35 AM
Hi, Thank you.
Here is the running-config of the DC router:
I'll post the office config and info in a second post.
Building configuration...
Current configuration : 3267 bytes
!
! Last configuration change at 19:15:33 UTC Tue Sep 18 2012 by admin
! NVRAM config last updated at 19:22:19 UTC Tue Sep 18 2012 by admin
! NVRAM config last updated at 19:22:19 UTC Tue Sep 18 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ISP-DC
!
boot-start-marker
boot-end-marker
!
!
logging buffered 500000
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name company.co.za
ip name-server 8.8.4.4
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1349F05Y
username admin privilege 15 secret 5 $1$1N7z$Rt22wvcXs8F5jM.Mbqi.
!
redundancy
!
!
!
crypto keyring mavrick-keyring vrf ppp ! Keyring unusable for nonexistent vrf
local-address 75.78.5.194
pre-shared-key address 0.0.0.0 0.0.0.0 key shdjeiijskdff44356
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key shdjeiijskdff44356 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 600 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
!
interface Tunnel1000
ip address 172.20.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
keepalive 60 3
tunnel source 75.78.5.194
tunnel mode gre multipoint
tunnel key 2012
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.225
description Internet
encapsulation dot1Q 225 native
ip address 75.78.5.194 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface FastEthernet0/0.226
description Diginet
encapsulation dot1Q 226
ip address 172.20.40.1 255.255.255.252
!
interface FastEthernet0/1
ip address 10.1.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
router rip
version 2
network 10.0.0.0
network 172.20.0.0
network 172.40.0.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 10.1.20.2 22922 interface FastEthernet0/0.225 22922
ip nat inside source static tcp 10.1.20.2 5555 interface FastEthernet0/0.225 5555
ip nat inside source list NAT interface FastEthernet0/0.225 overload
ip nat inside source static tcp 10.1.20.2 22 interface FastEthernet0/0.225 15050
ip route 0.0.0.0 0.0.0.0 75.78.5.193
!
ip access-list extended NAT
deny ip 10.1.20.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.1.20.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
transport input all
!
scheduler allocate 20000 1000
ntp server 196.7.93.10
end
And the show cry isa sa:
DC#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
75.78.5.194 75.144.170.46 QM_IDLE 1011 ACTIVE
75.78.5.194 75.181.126.253 MM_SA_SETUP 0 ACTIVE
75.78.5.194 75.181.126.253 MM_NO_STATE 0 ACTIVE (deleted)
The show crypto ipsec sa:
DC#show crypto ipsec sa
interface: Tunnel1000
Crypto map tag: Tunnel1000-head-0, local addr 75.78.5.194
protected vrf: (none)
local ident (addr/mask/prot/port): (75.78.5.194/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (75.144.170.46/255.255.255.255/47/0)
current_peer 75.144.170.46 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 492, #pkts encrypt: 492, #pkts digest: 492
#pkts decaps: 894, #pkts decrypt: 894, #pkts verify: 894
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 75.78.5.194, remote crypto endpt.: 75.144.170.46
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.225
current outbound spi: 0xD4E9DA60(3572095584)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB6535704(3058915076)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2045, flow_id: NETGX:45, sibling_flags 80000006, crypto map: Tunnel1000-head-0
sa timing: remaining key lifetime (k/sec): (4395030/864)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD4E9DA60(3572095584)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2046, flow_id: NETGX:46, sibling_flags 80000006, crypto map: Tunnel1000-head-0
sa timing: remaining key lifetime (k/sec): (4395045/864)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-19-2012 01:38 AM
Server ip at the ISP is 10.1.20.2. (I can ping this form the office and I get replies.)
host ip at the office is 10.178.164.132 (I cannot ping this ip from the router at the isp)
This is the config for the router at our office:
Building configuration...
Current configuration : 4549 bytes
!
! Last configuration change at 14:36:16 UTC Tue Sep 18 2012 by admin
! NVRAM config last updated at 05:56:44 UTC Tue Sep 18 2012 by admin
! NVRAM config last updated at 05:56:44 UTC Tue Sep 18 2012 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Headoffice
!
boot-start-marker
boot-end-marker
!
!
logging buffered 500000
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip domain name HQ
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1616C1TP
!
!
username admin privilege 15 password 7 04785A63071h736305
!
!
!
!
controller VDSL 0
!
!
track 1 ip sla 1 reachability
!
class-map match-any CM_Block_P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
!
!
policy-map PM_Block_P2P
class CM_Block_P2P
drop
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key shdjeiijskdff44356 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 600 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
interface Loopback0
ip address 172.19.0.11 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Tunnel0
ip address 172.20.0.11 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp map multicast 75.78.5.194
ip nhrp map 172.20.0.1 75.78.5.194
ip nhrp network-id 1
ip nhrp nhs 172.20.0.1
tunnel source Dialer2
tunnel destination 75.78.5.194
tunnel key 2012
tunnel protection ipsec profile DMVPN
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 2
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.178.164.132 255.255.255.128
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description International
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no peer neighbor-route
ppp authentication chap callin
ppp chap hostname companyname@someisp-international.co.za
ppp chap password 7 070B35545418130h75
no cdp enable
!
interface Dialer2
description Local Only
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
ppp authentication chap callin
ppp chap hostname companyname@someisp.local
ppp chap password 7 0250035750850G734D
no cdp enable
!
router rip
version 2
network 10.0.0.0
network 172.20.0.0
no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source route-map NAT-DIALER-1 interface Dialer1 overload
ip nat inside source route-map NAT-DIALER-2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 75.78.5.194 255.255.255.255 Dialer2 track 1
ip route 0.0.0.0 0.0.0.0 10.178.164.129 200
ip route 75.78.5.194 255.255.255.255 10.178.164.129 200
ip route 196.25.1.1 255.255.255.255 Dialer2
!
ip sla 1
icmp-echo 196.25.1.1 source-interface Dialer2
threshold 2
timeout 1000
frequency 20
ip sla schedule 1 life forever start-time now
logging dmvpn
access-list 101 deny ip 10.178.164.128 0.0.0.127 10.1.20.0 0.0.0.255
access-list 101 deny ip 10.178.164.128 0.0.0.127 172.20.0.0 0.0.255.255
access-list 101 deny ip 10.178.164.128 0.0.0.127 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.178.164.128 0.0.0.127 any
access-list 102 deny ip 10.178.164.128 0.0.0.127 10.1.20.0 0.0.0.255
access-list 102 deny ip 10.178.164.128 0.0.0.127 172.20.0.0 0.0.255.255
access-list 102 deny ip 10.178.164.128 0.0.0.127 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.178.164.128 0.0.0.127 any
!
!
!
!
route-map NAT-DIALER-1 permit 1
match ip address 101
match interface Dialer1
!
route-map NAT-DIALER-2 permit 1
match ip address 102
match interface Dialer2
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
end
Show crypto isakmp sa:
IPv4 Crypto ISAKMP SA
dst src state conn-id status
75.78.5.194 75.144.170.46 QM_IDLE 2012 ACTIVE
IPv6 Crypto ISAKMP SA
show crypto ipsec sa:
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 41.144.170.46
protected vrf: (none)
local ident (addr/mask/prot/port): (41.144.170.46/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.78.5.194/255.255.255.255/47/0)
current_peer 41.78.5.194 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1479, #pkts encrypt: 1479, #pkts digest: 1479
#pkts decaps: 1712, #pkts decrypt: 1712, #pkts verify: 1712
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: 41.144.170.46, remote crypto endpt.: 41.78.5.194
path mtu 1492, ip mtu 1492, ip mtu idb Dialer2
current outbound spi: 0xB6535704(3058915076)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD4E9DA60(3572095584)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 67, flow_id: Onboard VPN:67, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4415569/573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB6535704(3058915076)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 68, flow_id: Onboard VPN:68, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4415553/573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-19-2012 01:45 AM
NAT exemption on the server end needs to include the following deny statement:
ip access-list extended NAT
5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127
Then clear the ip nat translation before you perform the test again.
09-19-2012 02:04 AM
I've added that to the NAT access-list and cleared the ip nat transaltion.
But It still fails. From the (server) router in the DC I can ping 10. 178.164.132, but I cannot ping a host on the LAN. ie 10.178.164.129.
09-19-2012 03:01 AM
Can you pls ping from host to host instead of from the router itself to a host.
Also can you try to traceroute from a host to a host
09-19-2012 03:07 AM
Ok, I will do that a bit later. I am not there at the moment.
I'll let you know once its done.
09-20-2012 12:41 AM
Hello.
Thank you very much. I went to the office this morning and it was working.
I can't believe that I missed that ACL rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide