04-24-2010 09:01 AM
Hi
I has setup vpn site to site. local network with 192.168.48.0 and public address on 877w...
the other site has netgear fs338. local network is 192.168.100.0 and public address.
My problem is i got 877w ON LINE. and can ping the other end public address. but not the remote host in far end of the other side of the network.
Here is the actual config ....I did change only the public address and usename and password...
Router#sh run
Building configuration...
Current configuration : 4980 bytes
!
! Last configuration change at 14:38:54 PCTime Sat Apr 24 2010 by ccna23
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1704409952
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1704409952
revocation-check none
rsakeypair TP-self-signed-1704409952
!
!
crypto pki certificate chain TP-self-signed-1704409952
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373034 34303939 3532301E 170D3032 30333032 30343138
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303434
30393935 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B278 8726B494 0E1EFEDF 6277B8F0 26322B9A C5E725CE 4BA4F15D 24CFD106
95317141 E52E9A02 131F5931 7E40E3B0 B13E62F5 3626EE69 7610D959 4CFF8FAD
BFC90810 E6673275 36C3B158 88271FEE 1C0A3201 42A74B48 B6C8E1C8 0570D2AE
53646B5D 8360EE33 0C8AD3B1 50E4D59A 51BBE347 0F32DAD8 567D99F8 97B1009D
575B0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 285840B2
B99D3776 439837BD 7D4317C7 543D0000 301D0603 551D0E04 16041428 5840B2B9
9D377643 9837BD7D 4317C754 3D000030 0D06092A 864886F7 0D010104 05000381
81009F66 47479F67 EFD044AD 578693F6 EA4543AB 1E6D278A FA263A78 1C0625BB
354E02C9 17586558 59DDB57C 0D8E0495 549C63AD 68E472EC 9C447342 39DD0037
52CEA8C3 37A41BFE 3CEE8A8D 5A7C0A21 1B723EF5 38877317 AC647EA7 9A55B35F
2724F940 E91AC7F9 971E148F 63A508AF B5278E13 A84DA714 044E70D3 B1257A86 086F
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.47.1 192.168.47.99
ip dhcp excluded-address 192.168.47.151 192.168.47.254
ip dhcp excluded-address 192.168.48.151 192.168.48.254
ip dhcp excluded-address 192.168.48.1 192.168.48.99
!
ip dhcp pool ccp-pool1
network 192.168.48.0 255.255.255.0
default-router 192.168.48.1
dns-server 194.75.33.166 194.75.33.166
!
!
ip name-server 194.75.33.166
ip name-server 194.75.33.166
!
!
!
username ccna23 privilege 15 secret 5 $1$h3P5$9INCksY0V7njBqndDZaSX.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key tgh100wig8 address 194.75.33.5
!
crypto ipsec security-association lifetime seconds 57600
!
crypto ipsec transform-set international esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.75.33.5
set peer 194.75.33.5
set transform-set international
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback1
ip address 192.168.48.10 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.48.1 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
ip address 194.75.45.211 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ccna23
ppp chap password 0 ccna23
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.100.0 255.255.255.0 195.72.33.5
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 100 remark CCP_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.48.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.48.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.48.0 0.0.0.255 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
alias exec s sh ip int brief
alias exec C copy r s
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
04-24-2010 09:12 AM
Hi,
You seem to have the VPN configuration in place on the Cisco router.
Try to PING an available IP on the remote site from the 877w like this:
ping 192.168.100.x source 192.168.48.1
Check if that brings up the tunnel with the commands:
sh cry isa sa
sh cry ips sa
If you don't get a reply, you can enable the debugs to see what's happening:
debug cry isa
debug cry ips
I notice that you have a loopback belonging to the 192.168.48.x/24 networks as well, is this for any particular reason?
04-24-2010 09:43 AM
Hi
Thanks for reply ...here is the outcome.. do you think...it has to do with NAT or CLI ..or because VLAN1 shows it is down.
Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
Router#sh ip int brief
Interface IP-Address OK? Method Status Prot
ocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
Dialer0 194.72.45.211 YES TFTP up up
Dot11Radio0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
Loopback1 192.168.48.10 YES manual up up
NVI0 194.72.45.211 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.48.1 YES TFTP administratively down down
Router#sh int vlan1
Vlan1 is administratively down, line protocol is down
Hardware is EtherSVI, address is 0064.400f.901b (bia 0064.400f.901b)
Internet address is 192.168.48.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 1d00h, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
117855 packets input, 10835039 bytes, 0 no buffer
Received 1043 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
178127 packets output, 239073822 bytes, 0 underruns
0 output errors, 2 interface resets
418 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Router#sh int vlan1 summary
*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
------------------------------------------------------------------------
Vlan1 0 0 0 0 0 0 0 0 0
Router#sh int vlan1 status
Router#ping 192.168.100.223 source 192.168.48.1
% Invalid source address- IP address not on any of our up interfaces
Router#
i did created lookback address for testing only ..when i was on the lan..
04-24-2010 09:48 AM
I did not notice that from the original configuration.
VLAN 1 needs to be up in order for the tunnel to be established.
Try it and let us know.
Federico.
04-24-2010 10:08 AM
Thanks for your help. i have issue no sh on vlan1 but i notice the protocol is down!!!.. also when i ping the other end as you said i get no reply:-(
Router#s
Interface IP-Address OK? Method Status Prot
ocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
Dialer0 194.72.45.211 YES TFTP up up
Dot11Radio0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
Loopback1 192.168.48.10 YES manual administratively down down
NVI0 194.72.45.211 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.48.1 YES TFTP administratively down down
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int vlan1
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#exit
Router#s
Interface IP-Address OK? Method Status Prot
ocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
Dialer0 194.72.45.211 YES TFTP up up
Dot11Radio0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
Loopback1 192.168.48.10 YES manual administratively down down
NVI0 194.72.45.211 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.48.1 YES TFTP up down
Router#ping 192.168.100.x source 192.168.48.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
Packet sent with a source address of 192.168.48.x
.....
Success rate is 0 percent (0/5)
Router#
04-24-2010 10:14 AM
You have turned VLAN1 interface up, but the protocol is still down.
This means, that VLAN1 senses a physical connection, but no Layer 2 protocol is being established correctly.
What do you have connected to VLAN1?
What physical interface on the router is part of VLAN1 and is up/up and has a working device connected to it?
This means, that you should be able to PING devices on the 192.168.48.0/24 (inside LAN of the router) from the router itself, before being able to establish the tunnel to the remote site.
Federico.
04-24-2010 10:23 AM
Hi
Yes, i can ping inside the Lan.. no problems.. i had pc connected directly with dynamic ip ..for my initial configuration...right now that pc is OFF...or shut down...also i am sure if i add more clients i can ping too ..
I am telneting from home to the router 877w.
my problem is it can ping the other remote router PUBLIC address but not hosts in the other Lan 192.168.100.x
04-24-2010 10:30 AM
Ok, but to bring the VPN tunnel up, traffic needs to flow between 192.168.48.x and 192.168.100.x
This means there's no way to establish the tunnel until you get VLAN1 up/up because that's wherre 192.168.48.x resides.
If you want to test from the loopback (which has a 192.168.48.x address as well) that might be a test (since the loopbacks are always up).
Try adding the ip nat inside command to the loopback.
Federico.
04-24-2010 10:48 AM
Hi
still no luck ... i really have on idea what is wrong.. it become nightmare.
thanks once again
04-24-2010 11:00 AM
Do the following:
Check which of the switchports on the router belong to VLAN1 (Fast0/1/2/3)
Check that the FastEthernet port where you have a device on the 192.168.48.x subnet connected is part of VLAN 1 and that the interface is up/up.
If this is the case, the interface VLAN1 should be up/up as well and you can bring up the tunnel.
In other words,
Until you have the interface VLAN1 and the Fast interface protocol down, can't bring up the tunnel.
Federico.
04-24-2010 11:04 AM
Hi ;
Thanks..
I will do that . on monday when i am near the router.. i will keep you posted.
have nice w/end
regards,
04-24-2010 11:07 AM
by the way...which cli command to check the state of tunnel.
Thanks
04-24-2010 11:10 AM
sh cry isa sa --> will show the status of phase 1 (should be active or QM_IDLE)
sh cry ips sa --> will show the status of phase 2 (should see packets encrypted/decrypted)
Hope it helps.
Federico.
04-24-2010 11:23 AM
Thanks.. this is the output ..of those two commands
Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.72.33.5 195.72.45.211 QM_IDLE 2008 0 ACTIVE
IPv6 Crypto ISAKMP SA
===================================================
Router#sh cry ips sa
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 195.72.45.211
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer 194.72.33.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
#pkts decaps: 361, #pkts decrypt: 361, #pkts verify: 361
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 194.72.45.211, remote crypto endpt.: 194.72.33.5
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x2246025(35938341)
inbound esp sas:
spi: 0x2111A9F3(554805747)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4556050/52688)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2246025(35938341)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4556049/52688)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: SDM_CMAP_1, local addr 195.72.45.211
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer 194.72.33.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
#pkts decaps: 361, #pkts decrypt: 361, #pkts verify: 361
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 194.72.45.211, remote crypto endpt.: 194.72.33.5
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x2246025(35938341)
inbound esp sas:
spi: 0x2111A9F3(554805747)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4556050/52688)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2246025(35938341)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4556049/52688)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
04-24-2010 03:18 PM
Traffic shows flowing fine through the tunnel between the LAN networks.
What exactly you cannot reach?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide