cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
770
Views
0
Helpful
4
Replies

Need some advice regarding VPN between local Cisco router & remote Watchguard

eugene.ng
Level 1
Level 1

Hi all,

I'm trying to setup a Cisco 887 router to VPN to a watchguard device on the remote site.

From what i can gather, the VPN tunnel is UP. I can ping to the remote server on the 192.168.110.0 network but whenever i try to browse to it the on local server, it wouldn't work.

I can ping the remote server via IP address on the local server but not on the Cisco router. Is this working as intended?

--------------------------------------------------------------------------------------

R5Router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

110.142.127.237 122.3.112.10    QM_IDLE           2045 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------------------

R5Router#sh crypto session

Crypto session current status

Interface: Virtual-Access2

Session status: DOWN

Peer: 122.3.112.10 port 500

  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip host 122.3.112.10 192.168.0.0/255.255.255.0

        Active SAs: 0, origin: crypto map

Interface: Dialer0

Session status: UP-ACTIVE

Peer: 122.3.112.10 port 500

  IKEv1 SA: local 110.142.127.237/500 remote 122.3.112.10/500 Active

  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 2, origin: crypto map

  IPSEC FLOW: permit 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip host 122.3.112.10 192.168.0.0/255.255.255.0

        Active SAs: 0, origin: crypto map

1 Accepted Solution

Accepted Solutions

Crypto ACL 102, should really only include 1 line, ie:

10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255

and you should have mirror image ACL line on the remote end too.

Pls remove the rest of the ACL lines on ACL 102.

I assume that ACL 101 is the NAT exemption, if it is, pls include "deny ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255" on top of your current "permit" line.

Clear the tunnels as well as the NAT translation table after the above changes.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please share the output of "show cry ipsec sa"

When you try to ping from the router, do you perform extended ping and sourcing it from the router LAN interface (and I assume that the LAN interface IP is part of the crypto ACL)?

Hi Jennifer,

Thanks for replying! I've tried them both and it didn't work either way. These are the output I've gained.

These are the access-lists being used.

------------------------------------------------------------------------------------------

Extended IP access list 101

    10 deny icmp 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255 echo (74466 matches)

    20 deny tcp 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255 (1469 matches)

    30 permit ip 192.168.0.0 0.0.0.255 any (86669 matches)

    40 permit tcp host 192.168.110.3 192.168.0.0 0.0.0.255

Extended IP access list 102

    10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255 (1754530 matches)

    20 permit tcp 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255

    30 permit icmp 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255 echo

    40 permit ip host (remotesiteip) 192.168.0.0 0.0.0.255

-------------------------------------------------

crypto map

---------------------------------------------------------------------------------------------

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toRemote

set peer xxx.xxx.xxx.xxx

set transform-set ESP-SHA-AES256

match address 102

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

----------------------------------------------------------------------------------------

This is the ip sec sa output

----------------------------------------------------------

R5Router#sh crypto ipsec sa

interface: Dialer0

    Crypto map tag: SDM_CMAP_1, local addr xxx.xxx.xxx.xxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 74991, #pkts encrypt: 74991, #pkts digest: 74991

    #pkts decaps: 419639, #pkts decrypt: 419639, #pkts verify: 419639

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1300, ip mtu 1300, ip mtu idb Dialer0

     current outbound spi: 0x76202C9D(1981820061)

     PFS (Y/N): Y, DH group: group2

     inbound esp sas:

      spi: 0xBC56B1E1(3159798241)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 605, flow_id: Onboard VPN:605, sibling_flags 80000046, crypto m

ap: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (125266/1717)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x76202C9D(1981820061)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 606, flow_id: Onboard VPN:606, sibling_flags 80000046, crypto m

ap: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (125591/1717)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0)

   remote ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/1/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1300, ip mtu 1300, ip mtu idb Dialer0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/6/0)

   remote ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/6/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1300, ip mtu 1300, ip mtu idb Dialer0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1300, ip mtu 1300, ip mtu idb Dialer0

     current outbound spi: 0x0(0)

------------------------------------------------------------------------------

Crypto ACL 102, should really only include 1 line, ie:

10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255

and you should have mirror image ACL line on the remote end too.

Pls remove the rest of the ACL lines on ACL 102.

I assume that ACL 101 is the NAT exemption, if it is, pls include "deny ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255" on top of your current "permit" line.

Clear the tunnels as well as the NAT translation table after the above changes.

thanks jennifer!