Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
0
Helpful
2
Replies

Cisco site-to-site VPN behind non cisco VDSL modem

memmas nanashi
Level 1
Level 1

‎01-31-2014 03:05 PM

Hello,

I had a working site-to-site between a Cisco 1841 (ios 12.4) and a cisco 876 router (ios 12.3)...

The problem started when the 876 part upgrade to vdsl so I can't use the 876 to connect so now I'm behind an ISP's vDSL modem...

I follow the tempate at

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml

and have a site-to-site VPN connection, the only problem is while I can ping and access from 876 to 1841 , I can't ping or access (except for the 876) from 1841 to 876...

I would appreciate any help or hint...

Regards

EDIT: I don't know if helps but on 876 I'm using double NAT, didn't switch modem to bridge mode, but since it's a tunnel, I don't think it's an issue...

vlan2 taking an IP of 192.168.254.0 range and modem has 192.168.254.254.

here is the result of "sh ip route"

     10.0.0.0/24 is subnetted, 2 subnets

D       10.10.10.0 [90/2818560] via 10.0.0.2, 01:10:03, Tunnel0

C       10.0.0.0 is directly connected, Tunnel0

C    192.168.254.0/24 is directly connected, Vlan2

S    192.168.2.0/24 is directly connected, Tunnel0

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [254/0] via 192.168.254.254

Also when I issue "sh crypto isakmp sa" I get in src the local IP address

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

83.xxx.xxx.xxx  192.168.254.17  QM_IDLE           2004 ACTIVE

Here is the nat part of 876

!

crypto map vpnmap1 local-address Vlan2

!

interface Vlan1

description --- LAN ---

ip address 192.168.3.253 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface Vlan2

description --- WAN ---

ip address dhcp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

crypto map vpnmap1

!

ip route 192.168.2.0 255.255.255.0 Tunnel0

!

ip nat inside source route-map NAT interface Vlan2 overload

!

route-map NAT permit 10

match ip address PAT

match interface Vlan2

!

ip access-list extended PAT

deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.254.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!

Message was edited by: gerasimos_h

Labels:
0 Helpful
2 Replies 2

jshojayi
Level 1
Level 1

‎02-06-2014 12:04 AM

The 876 initiating would work since it's initiating. It sounds like you have the peer IP address on the 1841 pointing to the modem the 876 is plugged into. If the modem holds the public IP, it's not going to be able to terminate the VPN session from the 1841. Try enabling bridge mode so that the 876 gets a public IP and then re-initiate from the 1841.

Thank you.

Joe

0 Helpful

memmas nanashi
Level 1
Level 1
In response to jshojayi

‎02-06-2014 11:51 AM

Thanks for the answer,

The 876 connects to 1841 to be accurate...

Also I'm trying to avoid bridging the modem, but now I realize that I'm not going to avoid it after all, even after I was so close to the solution...

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents