09-23-2011 10:08 AM
Hi all,
Site to site VPN is establish by Cisco 887 (PPPoE) on both site. The tunnel is UP.
From staff PC (192.168.5.33) i can ping to 60.a.a.54.
But I can't ping the inside interface (192.168.0.1).
I need to access Server (192.169.0.150) from site B.
how can i ping/access the Server (192.169.0.150) from the staff PC (192.168.5.33)
Please see attachment for network diagram and conf for ASA 5510 of Site A and Site B
Solved! Go to Solution.
09-27-2011 10:19 AM
Maybe I am wrong but I do not see a purpose for a tunnel betwen your c887 routers. Insted, you need a tunnel betwen your asa routers.
09-24-2011 04:14 AM
Apology, but how is the tunnel UP since there is no crypto site-to-site VPN configuration at all. You might attach incorrect configuration to the post.
09-24-2011 07:34 AM
Hi Jennifer,
I'm using PPPoE and the Cisco 887 act as a ADSL modem.
Right now i don't have the config of the cisco 887.
But the tunnel is up.
I managed to ping each other devices up to outside interface only.
09-24-2011 06:09 PM
It's not quite VPN tunnel and the reason why you can ping the outside interface of each devices is because they are public ip address and it's routable on the Internet. That is why you can ping the outside interface of those devices.
To be able to access host behind the devices, you would either need to NAT it to a public IP Address and accessing those hosts with its public IP Address, or to configure site-to-site VPN tunnel.
Base on your current configuration, you haven't configured site-to-site VPN tunnel yet.
09-24-2011 09:36 PM
Hi Jennifer,
The Cisco 887 GUI (Cisco CP) shows that the tunnel is up.
These is my finding,
If i down the tunnel i can't ping the outside interface of the ASA.
If i up the tunnel back, then only i can ping the outside interface.
I can ping the public ip 60.a.a.53 and 218.b.b.233 anywhere.
But can only ping the 60.a.a.54 and 218.b.b.234 inside the environment when the tunnel up.
I just want to know how to route the both internal ip address to know each other.
09-25-2011 12:41 AM
No quite sure what tunnel it is showing up, but can you share the output of:
sh cry isa sa
sh cry ipsec sa
from the 887 router when the tunnel is UP.
Base on the configuration that you post, there is no VPN configuration, hence the tunnel is showing UP, not quite sure what tunnel is UP, as it is definitely not VPN tunnel because there is no crypto configuration.
09-25-2011 08:53 PM
Hi Jennifer,
Attach is the conf for Cisco 887 at site A,
-------------------------------------------------------
kewpie-mlk#sh run
Building configuration...
Current configuration : 6877 bytes
!
! Last configuration change at 02:26:00 UTC Mon Sep 26 2011 by nec
! NVRAM config last updated at 02:26:02 UTC Mon Sep 26 2011 by nec
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname kewpie-mlk
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$zrgO$UTdQAb.LzJq9y7n22R/Th/
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2510246803
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2510246803
revocation-check none
rsakeypair TP-self-signed-2510246803
!
!
crypto pki certificate chain TP-self-signed-2510246803
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353130 32343638 3033301E 170D3131 30383131 30363331
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35313032
34363830 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D515 3CB1CD5F 8D096CC3 459D5E62 1F4A9795 FE1C41D3 077976D9 A983667F
9EA5389F 3713C7EB 0683F0CD 24473F49 3652546E 22DFE2E7 70DB27DB FE80D056
82D3A2C2 436A3CDA 327CEC08 270B8976 19CBEAF7 AAFC9A56 BE19E20D C966901E
F183D04A 3B2907E0 122AF8EC 91E84B9B C5681588 B5C0AC9E CCB9E940 E37A88B1
99B90203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 196B6577 7069652D 6D6C6B2E 796F7572 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801449 80E15392 AC51A5DD D7D11F1A 6E265821
A072D730 1D060355 1D0E0416 04144980 E15392AC 51A5DDD7 D11F1A6E 265821A0
72D7300D 06092A86 4886F70D 01010405 00038181 0090FED9 E94AD235 24CE8968
C97AFAE0 C54B1208 A44FC0BD 7CE90F69 E0F93F74 DD63BF35 C213DABE 559B1448
95310F3F 16685C96 8F246412 6A9BE414 05D759FE 2A5D0602 60CAAF17 46AF544C
111A2BDB 1FFDCF3C E74C359E D6E8C4A9 B5EFE5D0 38077C5D C59BA1F4 E67A7085
3FFD3C6F 271DDA22 28A0F318 FF64FD25 C8EA6A77 47
quit
ip source-route
!
!
ip dhcp excluded-address 60.a.a.53
!
ip dhcp pool ccp-pool1
import all
network 60.a.a.52 255.255.255.252
dns-server 202.188.0.133 8.8.8.8
default-router 60.a.a.53
!
!
ip cef
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FGL152827A7
!
!
username nec privilege 15 secret 5 $1$ludy$bhR/Z7LEe3.L4d.ZK/aT30
username test secret 5 $1$1WcH$zyEruqlm/ui/XFTscMBvD.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key kewpievpn address 218.b.b.233
crypto isakmp key kewpievpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 103
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to218.b.b.233
set peer 218.b.b.233
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface BRI0
no ip address
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 60.a.a.53 255.255.255.252
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname kewpi@tmnet
ppp chap password 0 qqqqq
ppp pap sent-username kewpi@tmnet password 0 qqqqq
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 60.a.a.52 0.0.0.3
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 60.a.a.0 0.0.0.255 218.b.b.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 60.a.a.0 0.0.0.255 218.b.b.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 60.a.a.52 0.0.0.3 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
09-27-2011 09:59 AM
Dear all,
Have any idea bout this?
09-27-2011 10:19 AM
Maybe I am wrong but I do not see a purpose for a tunnel betwen your c887 routers. Insted, you need a tunnel betwen your asa routers.
10-01-2011 07:41 AM
Hi,
The tunnel now is up and running.
Cisco 887 act as a ADSL modem and ASA 5510 does the tunneling.
TQ all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide