09-05-2013 05:04 AM - edited 02-21-2020 07:07 PM
we are connecting Cisco 887VA router with various other Non-Cisco routers.
VPN tunnels are up and we can ping devices on the remote network through the VPN.
However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
I have tried adjusting MTU and MSS with no change.
Any ideas cause I'm running out of hair
My config is attached, it is most likely a mess as this is my first Cisco device so please go easy
09-05-2013 06:35 AM
Hi,
If I understand correctly, the problem is related to services that are also available on the public network via static translation?
1. I checked your configuration and it isn't clear to me.
For example:
ip nat pool windisplay0 192.168.3.55 192.168.3.55 netmask 255.255.255.0 type rotary
..
ip nat inside destination list windisplay0 pool windisplay0
The syntax is:
ip nat inside destination { listpool | static }
Where is the ACL "windisplay0" ?
2. I suggest read this document: Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
________________
Best regards,
MB
09-05-2013 09:07 AM
09-06-2013 12:16 AM
Hi,
i can get you a example VPN config (Cisco 1841) that works:
//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 192.168.49.0 0.0.0.255 any
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
crypto isakmp keepalive 30
crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
crypto map B2B 10 ipsec-isakmp
description b2b-fw
set peer PEERWANIP
set security-association lifetime seconds 86400
set transform-set SETNAME
match address 102
interface FastEthernet0/0
description wan_primary
crypto map B2B
ip nat outside
interface FastEthernet0/1
ip nat inside
route-map nonat permit 10
match ip address 150
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Regards
Markus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide