01-02-2012 10:12 PM
A <---> B
A: 192.168.100.0
Gateway: 192.168.100.254
Gateway: 192.168.100.11
B: 192.168.101.0
Gateway: 192.168.101.254
The site-to-site works fine so far, the only problem is that the Router B cannot access site A; the router A is not able to access site B neither.
Not able to PING, not able to access tftp, not able to send syslog.
My VPN config is pretty simple, just following the Cisco VPN Sample configuration.
Any idea?
Thanks in advance.
P.C.
01-02-2012 10:49 PM
You should post both end configuration.
01-02-2012 11:11 PM
! ==============================
!
! Router A (PIX v7.1)
!
! ==============================
hostname PIX
!
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
no nameif
no security-level
no ip address
!
interface Ethernet1.23
vlan 23
nameif inside
security-level 60
ip address 192.168.23.254 255.255.255.0
!
interface Ethernet1.28
vlan 28
nameif VoIP
security-level 80
ip address 192.168.28.254 255.255.255.0
!
ftp mode passive
access-list acl_ZeroNAT_inside extended permit ip 192.168.23.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list acl_ZeroNAT_inside extended permit ip 192.168.23.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_ZeroNAT_VoIP extended permit ip 192.168.28.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list acl_ZeroNAT_VoIP extended permit ip 192.168.28.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_interface_outside_in extended permit tcp any interface outside eq www
access-list acl_interface_outside_in extended permit tcp any interface outside eq ftp
access-list acl_interface_outside_in extended permit tcp any interface outside eq ftp-data
access-list acl_interface_inside_in extended permit ip any any
access-list acl_interface_VoIP_in extended deny ip host 255.255.255.255 any
access-list acl_interface_VoIP_in extended permit ip any any
access-list acl_interface_outside_outbound extended permit udp host 168.95.1.1 eq domain any
access-list acl_interface_outside_outbound extended permit udp host 168.95.192.1 eq domain any
access-list acl_interface_outside_outbound extended permit esp any any
access-list acl_interface_outside_outbound extended permit udp any any eq isakmp
access-list acl_interface_outside_outbound extended permit udp any eq bootps any eq bootpc
access-list acl_interface_outside_outbound extended permit icmp any any echo-reply
access-list acl_interface_outside_outbound extended permit icmp any any time-exceeded
access-list acl_interface_outside_outbound extended permit icmp any any unreachable
access-list acl_interface_outside_outbound extended deny ip 10.0.0.0 255.0.0.0 any
access-list acl_interface_outside_outbound extended deny ip 172.16.0.0 255.255.0.0 any
access-list acl_interface_outside_outbound extended deny ip 127.0.0.0 255.0.0.0 any
access-list acl_interface_outside_outbound extended deny ip host 255.255.255.255 any
access-list acl_interface_outside_outbound extended permit ip any any
access-list acl_VPN_L2L_CryptoMap extended permit ip 192.168.23.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_VPN_L2L_CryptoMap extended permit ip 192.168.28.0 255.255.255.0 192.168.8.0 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_ZeroNAT_inside
nat (inside) 1 192.168.23.0 255.255.255.0
nat (VoIP) 0 access-list acl_ZeroNAT_VoIP
nat (VoIP) 1 192.168.28.0 255.255.255.0
access-group acl_interface_outside_in in interface outside
access-group acl_interface_outside_outbound out interface outside
access-group acl_interface_inside_in in interface inside
access-group acl_interface_VoIP_in in interface VoIP
aaa authentication ssh console LOCAL
crypto ipsec transform-set TS-3DES esp-3des esp-sha-hmac
crypto ipsec transform-set TS-AES esp-aes-256 esp-sha-hmac
crypto dynamic-map DM-VPN 1 set transform-set TS-AES
crypto dynamic-map DM-VPN 1 set reverse-route
crypto map Map-VPN 10 match address acl_VPN_L2L_CryptoMap
crypto map Map-VPN 10 set peer 180.000.000.000
crypto map Map-VPN 10 set transform-set TS-3DES
crypto map Map-VPN 20 ipsec-isakmp dynamic DM-VPN
crypto map Map-VPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group 180.000.000.000 type ipsec-l2l
tunnel-group 180.000.000.000 ipsec-attributes
pre-shared-key *
management-access inside
! ==============================
!
! Router B
!
! ==============================
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.8.1 192.168.8.50
ip dhcp excluded-address 192.168.8.251 192.168.8.254
!
ip dhcp pool Home
network 192.168.8.0 255.255.255.0
default-router 192.168.8.254
dns-server 192.168.8.254
!
!
ip name-server 168.95.1.1
ip name-server 168.95.192.1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 181.000.000.000
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 181.000.000.000
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface Ethernet0
description outside$FW_OUTSIDE$
ip address dhcp client-id Ethernet0
ip access-group 103 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
half-duplex
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0
description inside$FW_INSIDE$
ip address 192.168.8.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 11
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload
ip dns server
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 11 permit 192.168.8.0 0.0.0.255
access-list 11 permit 192.168.23.0 0.0.0.255
access-list 11 permit 192.168.25.0 0.0.0.255
access-list 11 deny any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.71
access-list 102 permit udp host 220.130.158.71 eq ntp host 192.168.8.254 eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 114.33.9.11
access-list 102 permit udp host 114.33.9.11 eq ntp host 192.168.8.254 eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.52
access-list 102 permit udp host 220.130.158.52 eq ntp host 192.168.8.254 eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 220.130.158.72
access-list 102 permit udp host 220.130.158.72 eq ntp host 192.168.8.254 eq ntp
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 168.95.192.1 eq domain any
access-list 103 permit udp host 168.95.1.1 eq domain any
access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.71
access-list 103 permit udp host 220.130.158.71 eq ntp any eq ntp
access-list 103 remark Auto generated by SDM for NTP (123) 114.33.9.11
access-list 103 permit udp host 114.33.9.11 eq ntp any eq ntp
access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.52
access-list 103 permit udp host 220.130.158.52 eq ntp any eq ntp
access-list 103 remark Auto generated by SDM for NTP (123) 220.130.158.72
access-list 103 permit udp host 220.130.158.72 eq ntp any eq ntp
access-list 103 permit ahp host 123.193.132.46 any
access-list 103 permit esp host 123.193.132.46 any
access-list 103 permit udp host 123.193.132.46 any eq isakmp
access-list 103 permit udp host 123.193.132.46 any eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.23.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 103 deny ip 192.168.8.0 0.0.0.255 any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit tcp any any eq 22
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip any any log
route-map SDM_RMAP_1 permit 1
match ip address 101
01-02-2012 11:18 PM
where are these subnets ?
A: 192.168.100.0
Gateway: 192.168.100.254
Gateway: 192.168.100.11
B: 192.168.101.0
Gateway: 192.168.101.254
01-03-2012 12:08 AM
Sorry for the confusion. The following are actual subnets, please ignore 192.168.100.0 and 192.168.101.0.
A: 192.168.23.0
Gateway: 192.168.23.254
Gateway: 192.168.23.11
B: 192.168.8.0
Gateway: 192.168.8.254
In site A, my laptop can ssh to router B.
In site B, my laptop can ssh to router A.
But
Router A CANNOT access site B.
Router B CANNOT access site A.
Thanks.
01-03-2012 12:48 AM
RouterB side 2nd subnet is not added for VOIP.
access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.23.0 0.0.0.255
post output of show crypto ipsec sa ? do you see if you tunnel is UP ?
Thanks
Ajay
01-03-2012 01:02 AM
Thanks Ajay,
The vpn tunnel is working fine and all clients in site A are able to access site B, vice versa.
The only problem is Router B not able to PING or tftp to a server on site A (or anything in Site A), vice versa.
for example, I have a syslog server (192.168.23.100), but router B (192.168.8.254) is not able to access this machine.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide