Re: Issues ping Remote site through Site-to-Site VPN

Dyami · ‎06-02-2019

I have 2 Cisco 1921/K9 routers and I has setup a site-to-site VPN and is showing connected but I am not able to ping the Lan's from the routers or from PC on the different Lan's. I am trying to figure out what I have missed since I can ping the WAN port on both sides and when running the "sh crypto isakmp sa" command it shows that the connect is Active but when I try to ping any device on the 192.168.2.0 network from the 192.168.3.0 network it will not go across the tunnel.

Router Main-Office

Current configuration : 7177 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Main-Office
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
!
no aaa new-model
clock timezone Central -6 0
clock summer-time Central date Mar 10 2019 2:00 Nov 3 2019 2:00
!
!
no ip dhcp ping packets
!
!
!
ip domain name router.com
ip name-server 1.1.1.1
ip name-server 8.8.8.8
ip cef
login delay 10
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-33867
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-33867
 revocation-check none
 rsakeypair TP-self-signed-33867
!
!
crypto pki certificate chain TP-self-signed-33867
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33333836 37333038 3437301E 170D3135 31313234 31383539 
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33383637 
  33303834 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100A171 AC4C3272 C099FAC1 E2BFAE87 6AE98FC6 501F8762 6854A568 E5468FC4 
  6C0C9CE2 92803015 E1CD271E E8BBA718 D5854377 AD8A42FC A5254A78 7EB08C41 
  FA2F85BE 22FB5F86 6B3737E4 69ADAC05 86DAC773 68C43FAA E02277D3 36692AB1 
  F3241936 5F117F48 7BC2AEDF 718064C6 1137CAF9 4E4E472F 93478198 74AD89D9 
  F6AB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14949237 F6105BA9 0C1EC0D4 77875AEF 24470162 8E301D06 
  03551D0E 04160414 949237F6 105BA90C 1EC0D477 875AEF24 4701628E 300D0609 
  2A864886 F70D0101 05050003 81810020 51D914B3 C3312154 310905F7 8717287A 
  9BAA8E24 3335AF40 4CB58722 586EEBE8 B8BDC6AA A9D0DE2D C13B439D F98208AA 
  04A7FC55 84C7D5C5 808DA403 4BBA976A 0946091F 42694150 B5253088 068D563A 
  A36696E6 34F1EDBC F9E7888B 58C4B0C0 7A328F1E E30C1A8F 74633CC2 6DA76599 
  1FBC7767 B39CEF8D 1B079D1E A0507C
  	quit
license udi pid CISCO1921/K9 sn FTX19028499
!
!
redundancy
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Test! address **.***.***.148 
!
!
no crypto ipsec transform-set default
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 
 mode tunnel
!
!
!
!
crypto map MAP 10 ipsec-isakmp 
 set peer **.***.***.148
 set transform-set SET1 
 match address VPN-Traffic
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!         
interface GigabitEthernet0/0
 description Lan connection
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig
 ipv6 enable
 no mop enabled
!
interface GigabitEthernet0/1
 description Wan Connection
 ip address dhcp client-id GigabitEthernet0/1 hostname router1
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig
 ipv6 enable
 no mop enabled
 crypto map MAP
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/1/0
 no ip address
 shutdown
!
interface GigabitEthernet0/1/1
 no ip address
 shutdown
!
interface GigabitEthernet0/1/2
 no ip address
 shutdown
!
interface GigabitEthernet0/1/3
 no ip address
 shutdown
 no mop enabled
!
interface Vlan1
 no ip address
 shutdown
!
!
router eigrp 88
 network 192.168.3.0
 redistribute static
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.3.2 80 interface GigabitEthernet0/1 8080
ip nat inside source list NO-NAT interface GigabitEthernet0/1 overload
ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip access-list extended NO-NAT
 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
ip access-list extended VPN-Traffic
 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
access-list 10 permit 192.168.3.0 0.0.0.255
!
control-plane
!
!
!
line con 0
 exec-timeout 30 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp peer 0.us.pool.ntp.org prefer version 2
!
end

Remote-Office

Current configuration : 4698 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Remote-Office
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
no aaa new-model
clock timezone Central -6 0
clock summer-time Central date Mar 10 2019 2:00 Nov 3 2019 2:00
!
ip domain name router.com
ip name-server 1.1.1.1
ip name-server 8.8.8.8
ip cef
login delay 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-33867
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-33867
 revocation-check none
 rsakeypair TP-self-signed-33867
!
!
crypto pki certificate chain TP-self-signed-33867
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33333836 37333038 3437301E 170D3135 31313234 31383539 
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33383637 
  33303834 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100A171 AC4C3272 C099FAC1 E2BFAE87 6AE98FC6 501F8762 6854A568 E5468FC4 
  6C0C9CE2 92803015 E1CD271E E8BBA718 D5854377 AD8A42FC A5254A78 7EB08C41 
  FA2F85BE 22FB5F86 6B3737E4 69ADAC05 86DAC773 68C43FAA E02277D3 36692AB1 
  F3241936 5F117F48 7BC2AEDF 718064C6 1137CAF9 4E4E472F 93478198 74AD89D9 
  F6AB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14949237 F6105BA9 0C1EC0D4 77875AEF 24470162 8E301D06 
  03551D0E 04160414 949237F6 105BA90C 1EC0D477 875AEF24 4701628E 300D0609 
  2A864886 F70D0101 05050003 81810020 51D914B3 C3312154 310905F7 8717287A 
  9BAA8E24 3335AF40 4CB58722 586EEBE8 B8BDC6AA A9D0DE2D C13B439D F98208AA 
  04A7FC55 84C7D5C5 808DA403 4BBA976A 0946091F 42694150 B5253088 068D563A 
  A36696E6 34F1EDBC F9E7888B 58C4B0C0 7A328F1E E30C1A8F 74633CC2 6DA76599 
  1FBC7767 B39CEF8D 1B079D1E A0507C
  	quit
license udi pid CISCO1921/K9 sn FTX1811834U
!
!
redundancy
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Test! address ***.***.**.131 
!
!
no crypto ipsec transform-set default
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 
 mode tunnel
!
!
!
!
crypto map MAP 10 ipsec-isakmp 
 set peer ***.***.**.131
 set transform-set SET1 
 match address VPN-Traffic
!
!
!
!
!
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Lan connection
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig
 ipv6 enable
 no mop enabled
!
interface GigabitEthernet0/1
 description Wan Connection
 ip address dhcp client-id GigabitEthernet0/1 hostname Remote-Office
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address autoconfig
 ipv6 enable
 no mop enabled
 crypto map MAP
!
!
router eigrp 88
 network 192.168.2.0
 network 192.168.3.0
 redistribute static
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.2.12 8080 interface GigabitEthernet0/1 8080
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source list NO-NAT interface GigabitEthernet0/1 overload
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip access-list extended NO-NAT
 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended VPN-Traffic
 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
access-list 10 permit 192.168.2.0 0.0.0.255
!
control-plane
!
!         
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Seb Rupik · ‎06-02-2019

Hi there,

You have a redundant NAT statement which is preempting the NO-NAT statement, run the following on both devices:

conf t 
!
no ip nat inside source list 10 interface GigabitEthernet0/1 overload
!

cheers,

Seb.

Dyami · ‎06-03-2019

I removed the access-list 10 entry and still not able to ping to the remote site from the Main router. Am I missing something else that might be making it to where the Lan traffic is not going across the VPN?

Seb Rupik · ‎06-04-2019

Just to clarify, you removed that NAT statement from both routers?

cheers,

Seb.

Dyami · ‎06-04-2019

Yes the nat inside source list 10 has been removed and the nat inside list NO-NAT still remains.

Seb Rupik · ‎06-05-2019

Hi there,

From both routers, can you share the output of:

sh crypto ipsec sa

sh ip nat trans

sh ip nat stats

cheers,

Seb.

Dyami · ‎06-05-2019

I have attached files with the output of the 3 commands.