01-31-2014 03:05 PM
Hello,
I had a working site-to-site between a Cisco 1841 (ios 12.4) and a cisco 876 router (ios 12.3)...
The problem started when the 876 part upgrade to vdsl so I can't use the 876 to connect so now I'm behind an ISP's vDSL modem...
I follow the tempate at
http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml
and have a site-to-site VPN connection, the only problem is while I can ping and access from 876 to 1841 , I can't ping or access (except for the 876) from 1841 to 876...
I would appreciate any help or hint...
Regards
EDIT: I don't know if helps but on 876 I'm using double NAT, didn't switch modem to bridge mode, but since it's a tunnel, I don't think it's an issue...
vlan2 taking an IP of 192.168.254.0 range and modem has 192.168.254.254.
here is the result of "sh ip route"
10.0.0.0/24 is subnetted, 2 subnets
D 10.10.10.0 [90/2818560] via 10.0.0.2, 01:10:03, Tunnel0
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.254.0/24 is directly connected, Vlan2
S 192.168.2.0/24 is directly connected, Tunnel0
C 192.168.3.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [254/0] via 192.168.254.254
Also when I issue "sh crypto isakmp sa" I get in src the local IP address
IPv4 Crypto ISAKMP SA
dst src state conn-id status
83.xxx.xxx.xxx 192.168.254.17 QM_IDLE 2004 ACTIVE
Here is the nat part of 876
!
crypto map vpnmap1 local-address Vlan2
!
interface Vlan1
description --- LAN ---
ip address 192.168.3.253 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
interface Vlan2
description --- WAN ---
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
crypto map vpnmap1
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip nat inside source route-map NAT interface Vlan2 overload
!
route-map NAT permit 10
match ip address PAT
match interface Vlan2
!
ip access-list extended PAT
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.254.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
Message was edited by: gerasimos_h
02-06-2014 12:04 AM
The 876 initiating would work since it's initiating. It sounds like you have the peer IP address on the 1841 pointing to the modem the 876 is plugged into. If the modem holds the public IP, it's not going to be able to terminate the VPN session from the 1841. Try enabling bridge mode so that the 876 gets a public IP and then re-initiate from the 1841.
Thank you.
Joe
02-06-2014 11:51 AM
Thanks for the answer,
The 876 connects to 1841 to be accurate...
Also I'm trying to avoid bridging the modem, but now I realize that I'm not going to avoid it after all, even after I was so close to the solution...
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide