cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2339
Views
0
Helpful
4
Replies

Nat IP can't ping VPN IP Cisco Configuration Professional

softimpera
Level 1
Level 1

Hello,

I configured a VPN site to site through an Cisco 891 and Lynksys RV042: Followed this steps:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

The VPN works only for computers without NAT .

I asked already for help for a big company (Cisco Professionals) from my town and they didn't solve my problem .

How can I solve that ?

Network 1 - Cisco Router

Local : 192.168.1.0

WAN: 188.xx.xxx.157

NAT: 86.xx.xx.148 , 192.168.1.4

NAT: 86.xx.xx.150 , 192.168.1.2

Network2 - Lynksys Router

Local: 192.168.2.0

WAN: 82.xx.xx.180

NO NAT

Ping Works for 192.168.1.5 and 192.168.2.2, etc

Ping is not working with : 192.168.1.2 and 192.168.2.2

Thank's

4 Replies 4

softimpera
Level 1
Level 1

My cisco configuration is:

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname hostrtr

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$BQHg$S45Vcx456HPc567gLfF.

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone PCTime 2

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00

!

crypto pki trustpoint TP-self-signed-41548103

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-41548103

revocation-check none

rsakeypair TP-self-signed-41548103

!

crypto pki trustpoint tti

revocation-check crl

rsakeypair tti

!

!

crypto pki certificate chain TP-self-signed-41548103

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313534 38313033 301E170D 31323038 31373136 35343034

  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343135 34383130

  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DB8B

  4231D71B C54A58A7 65481793 E2D38810 7AAD2221 12B350FA A5E65185 7697598E

  15A8D708 13D27B05 855698C1 8F92C8FD 72E45F3E 6AA12B6A 0D287F40 29A32CA2

  006242C4 D118C7FB 8DE4703D 97F8A28D 1AE85FF1 2C5571DD 3F3904E2 95501C43

  DAA5214A 84A74DD7 1507E056 AD68EA40 DB8FA15B 89B8EF72 584689D9 83350203

  010001A3 7B307930 0F060355 1D130101 FF056530 030101FF 30260603 551D1104

  1F301D82 1B686F73 74696D70 65726172 74722E68 6F737469 6D706572 612E726F

  301F0603 551D2304 18304580 142ADF5D C3F92C47 93A0EB00 678B7A18 D5EE6E6A

  13301D06 03551D0E 04160414 2ADF5DC3 F92C4793 A0EB0067 8B7A18D5 EE6E6A13

  300D0609 2A864886 F70D0101 04050003 8181009D 6BF1C560 C8844DC2 6804F39C

  E9CEB0F3 21603F50 D88EF8F1 FE380BD3 8990DD77 600BEBED 35DF4AD8 5F9E14B6

  E16BFE5F 04372633 26EF70E3 493FE4C0 57C1014F 5A876714 029C4B93 AD9C6546

  B1E2E8C7 27009C19 0A9D963B 9DEA5689 52E62658 6A555CAF B71EA0C6 EEABC056

  ADFF6837 1F7984A2 2CAEC2EC 060BADB7 36F027

      quit

crypto pki certificate chain tti

no ip source-route

!

!

ip dhcp excluded-address 192.168.1.101 192.168.1.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 193.xxx.xxx.1 213.xxx.xxx.1

   default-router 192.xxx.1.1

!

ip dhcp pool calcwork2

   host 192.168.1.2 255.255.255.0

   client-identifier 01d4.ae34.8989.3f

!

ip dhcp pool calcWork1

   host 192.168.1.4 255.255.255.0

   client-identifier 01b8.ac34.9787.df

!

!

ip cef

no ip bootp server

ip domain name hsdfra.com

ip name-server 193.xxx.xxx.1

ip name-server 213.xxx.xxx.1

ip ips config location flash:/IPS retries 1

ip ips notify SDEE

ip ips name sdm_ips_rule

!

ip ips signature-category

  category all

   retired true

  category ios_ips advanced

   retired false

!

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn FCZ4dfgC45X

!

!

username admin privilege 15 secret 5 $1$AJNK$v34NddggdfQSPJ715e20

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub

  key-string

   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16

   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128

   B199ABCB D34ED0F9 085FADC1 359C567E F30AF10A C0EFB624 7E0764BF 3E53053E

   5B2146A9 D7A5EDE3 02945673 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35

   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85

   50437722 FFBE85B9 5E4189FF CC189CB9 69C4678C A84DFBA5 7A0AF99E AD768C36

   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE

   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B012D3

   F3020301 0001

  quit

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 105

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 110

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

match access-group 114

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 112

class-map type inspect match-all sdm-cls-VPNOutsideToInside-7

match access-group 118

class-map type inspect match-all sdm-cls-VPNOutsideToInside-6

match access-group 116

class-map type inspect match-all sdm-cls-VPNOutsideToInside-9

match access-group 122

class-map type inspect match-all sdm-cls-VPNOutsideToInside-8

match access-group 120

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all sdm-nat--1

match access-group 101

class-map type inspect match-all sdm-nat--2

match access-group 102

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-all sdm-cls-VPNOutsideToInside-10

match access-group 124

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat--1

  inspect

class type inspect sdm-nat--2

  inspect

class type inspect CCP_PPTP

  pass

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class type inspect sdm-cls-VPNOutsideToInside-3

  inspect

class type inspect sdm-cls-VPNOutsideToInside-4

  inspect

class type inspect sdm-cls-VPNOutsideToInside-5

  inspect

class type inspect sdm-cls-VPNOutsideToInside-6

  inspect

class type inspect sdm-cls-VPNOutsideToInside-7

  inspect

class type inspect sdm-cls-VPNOutsideToInside-8

  inspect

class type inspect sdm-cls-VPNOutsideToInside-9

  inspect

class type inspect sdm-cls-VPNOutsideToInside-10

  inspect

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

group 2

crypto isakmp key keyshared1 address 82.xx.xx.180

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set Cisco esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to82.xx.xx.180

set peer 82.xx.xx.180

set transform-set ESP-3DES-SHA5

match address 115

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to82.xx.xx.180

set peer 82.xx.xx.180

set transform-set ESP-3DES-SHA7

match address 121

!

crypto map SDM_CMAP_3 1 ipsec-isakmp

description Tunnel to82.xx.xx.180

set peer 82.xx.xx.180

set transform-set ESP-3DES-SHA8

match address 123

!

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 188.xx.xxx.157 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_3

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip ips sdm_ips_rule out

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip nat inside source static 192.168.1.4 86.xx.xx.148

ip nat inside source static 192.168.1.2 86.xx.xx.150

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 188.xx.xx.128 0.0.0.127 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.1.2

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.4

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host 82.xx.xx.180 any

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 106 permit ip 192.168.1.0 0.0.0.255 any

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 109 remark CCP_ACL Category=4

access-list 109 remark IPSec Rule

access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 remark CCP_ACL Category=0

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 remark CCP_ACL Category=4

access-list 111 remark IPSec Rule

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 112 remark CCP_ACL Category=0

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 113 remark CCP_ACL Category=4

access-list 113 remark IPSec Rule

access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 114 remark CCP_ACL Category=0

access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 remark CCP_ACL Category=4

access-list 115 remark IPSec Rule

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 116 remark CCP_ACL Category=0

access-list 116 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 117 remark CCP_ACL Category=4

access-list 117 remark IPSec Rule

access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 118 remark CCP_ACL Category=0

access-list 118 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 119 remark CCP_ACL Category=4

access-list 119 remark IPSec Rule

access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 remark CCP_ACL Category=0

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 121 remark CCP_ACL Category=4

access-list 121 remark IPSec Rule

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 122 remark CCP_ACL Category=0

access-list 122 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 123 remark CCP_ACL Category=4

access-list 123 remark IPSec Rule

access-list 123 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 124 remark CCP_ACL Category=0

access-list 124 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

!

!

control-plane

!

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login authentication local_authen

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

authorization exec local_author

login authentication local_authen

length 0

transport input telnet ssh

line vty 5 15

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Here is what you would need to configure:

access-list 130 deny ip host 192.168.1.4 192.168.2.0 0.0.0.255

access-list 130 permit ip host 192.168.1.4 any

access-list 131 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255

access-list 131 permit ip host 192.168.1.2 any

route-map nonat4 permit 10

   match ip address 130

route-map nonat2 permit 10

   match ip address 131

no ip nat inside source static 192.168.1.4 86.xx.xx.148

no ip nat inside source static 192.168.1.2 86.xx.xx.150

ip nat inside source static 192.168.1.4 86.xx.xx.148 route-map nonat4

ip nat inside source static 192.168.1.2 86.xx.xx.150 route-map nonat2

Then "clear ip nat trans *" after the above changes.

That should resolve your issue.

Thank's for you answer.

I will try this, but I must log to console (it is difficult for me)

Do you know how to do this with cisco configuration professional ?

Thank's

apologize, but i don't have access to CCP handy to show you the configuration via CCP.

Try to telnet to the router and configure it via CLI.