Hi all,
I have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity. What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router. I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map. However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works. Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24. I've also got two static NATs for inbound access from the data center and those seem to work fine.
I've pasted the config below, can anyone see what I might have missed?
Current configuration : 2787 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hch-1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 [REDACTED]
enable password 7 [REDACTED]
!
username support password 7 XXXXX
username bywater password 7 XXXXX
clock timezone MST -7
clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key MYKEY address MYPEER
!
!
crypto ipsec transform-set hch_vpn esp-3des esp-md5-hmac
!
crypto map hch_vpn 10 ipsec-isakmp
set peer MYPEER
set security-association lifetime seconds 28800
set transform-set hch_vpn
match address 101
!
!
!
interface Ethernet0
description HCH Outside (to DSL Modem)
ip address 12.34.56.225 255.255.255.248
ip nat outside
half-duplex
no cdp enable
crypto map hch_vpn
!
interface FastEthernet0
description HCH Inside Intranet
ip address 128.1.0.75 255.255.0.0
no ip proxy-arp
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
ip nat pool hchpool 192.168.105.50 192.168.105.200 netmask 255.255.255.0
ip nat inside source list 50 pool hchpool overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static 128.1.0.1 192.168.105.1
ip nat inside source static 128.1.247.4 192.168.105.2
ip nat outside source list 50 pool hchpool
ip classless
ip route 0.0.0.0 0.0.0.0 12.34.56.230
no ip http server
no ip http secure-server
!
!
access-list 20 permit REMOTEADMIN
access-list 20 permit REMOTESITE 0.0.0.255
access-list 20 permit 192.168.249.0 0.0.0.255
access-list 20 permit 128.1.247.0 0.0.0.255
access-list 20 permit 128.1.0.0 0.0.255.255
access-list 50 permit 128.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.105.0 0.0.0.255 192.168.249.0 0.0.0.255
access-list 101 permit ip 128.1.0.0 0.0.255.255 192.168.249.0 0.0.0.255
access-list 110 deny ip 192.168.105.0 0.0.0.255 192.168.249.0 0.0.0.255
access-list 110 permit ip 128.1.0.0 0.0.255.255 any
access-list 133 deny tcp any any eq 135
access-list 133 deny tcp any any eq 445
access-list 133 deny tcp any any eq 5554
access-list 133 deny tcp any any eq 9996
access-list 133 permit ip any any
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
line aux 0
line vty 0 4
access-class 20 in
exec-timeout 0 0
!
ntp clock-period 17179984
ntp server 198.72.72.10
end
