Hi Jennifer,

I'm using PPPoE and the Cisco 887 act as a ADSL modem.

Right now i don't have the config of the cisco 887.

But the tunnel is up.

I managed to ping each other devices up to outside interface only.

It's not quite VPN tunnel and the reason why you can ping the outside interface of each devices is because they are public ip address and it's routable on the Internet. That is why you can ping the outside interface of those devices.

To be able to access host behind the devices, you would either need to NAT it to a public IP Address and accessing those hosts with its public IP Address, or to configure site-to-site VPN tunnel.

Base on your current configuration, you haven't configured site-to-site VPN tunnel yet.

Hi Jennifer,

The Cisco 887 GUI (Cisco CP) shows that the tunnel is up.

These is my finding,

If i down the tunnel i can't ping the outside interface of the ASA.

If i up the tunnel back, then only i can ping the outside interface.

I can ping the public ip 60.a.a.53 and 218.b.b.233 anywhere.

But can only ping the 60.a.a.54 and 218.b.b.234 inside the environment when the tunnel up.

I just want to know how to route the both internal ip address to know each other.

No quite sure what tunnel it is showing up, but can you share the output of:

sh cry isa sa

sh cry ipsec sa

from the 887 router when the tunnel is UP.

Base on the configuration that you post, there is no VPN configuration, hence the tunnel is showing UP, not quite sure what tunnel is UP, as it is definitely not VPN tunnel because there is no crypto configuration.

Hi Jennifer,

Attach is the conf for Cisco 887 at site A,

-------------------------------------------------------

kewpie-mlk#sh run

Building configuration...

Current configuration : 6877 bytes

!

! Last configuration change at 02:26:00 UTC Mon Sep 26 2011 by nec

! NVRAM config last updated at 02:26:02 UTC Mon Sep 26 2011 by nec

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

!

hostname kewpie-mlk

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$zrgO$UTdQAb.LzJq9y7n22R/Th/

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-2510246803

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2510246803

revocation-check none

rsakeypair TP-self-signed-2510246803

!

!

crypto pki certificate chain TP-self-signed-2510246803

certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353130 32343638 3033301E 170D3131 30383131 30363331

  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35313032

  34363830 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D515 3CB1CD5F 8D096CC3 459D5E62 1F4A9795 FE1C41D3 077976D9 A983667F

  9EA5389F 3713C7EB 0683F0CD 24473F49 3652546E 22DFE2E7 70DB27DB FE80D056

  82D3A2C2 436A3CDA 327CEC08 270B8976 19CBEAF7 AAFC9A56 BE19E20D C966901E

  F183D04A 3B2907E0 122AF8EC 91E84B9B C5681588 B5C0AC9E CCB9E940 E37A88B1

  99B90203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 196B6577 7069652D 6D6C6B2E 796F7572 646F6D61 696E2E63

  6F6D301F 0603551D 23041830 16801449 80E15392 AC51A5DD D7D11F1A 6E265821

  A072D730 1D060355 1D0E0416 04144980 E15392AC 51A5DDD7 D11F1A6E 265821A0

  72D7300D 06092A86 4886F70D 01010405 00038181 0090FED9 E94AD235 24CE8968

  C97AFAE0 C54B1208 A44FC0BD 7CE90F69 E0F93F74 DD63BF35 C213DABE 559B1448

  95310F3F 16685C96 8F246412 6A9BE414 05D759FE 2A5D0602 60CAAF17 46AF544C

  111A2BDB 1FFDCF3C E74C359E D6E8C4A9 B5EFE5D0 38077C5D C59BA1F4 E67A7085

  3FFD3C6F 271DDA22 28A0F318 FF64FD25 C8EA6A77 47

      quit

ip source-route

!

!

ip dhcp excluded-address 60.a.a.53

!

ip dhcp pool ccp-pool1

   import all

   network 60.a.a.52 255.255.255.252

   dns-server 202.188.0.133 8.8.8.8

   default-router 60.a.a.53

!

!

ip cef

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

license udi pid CISCO887-K9 sn FGL152827A7

!

!

username nec privilege 15 secret 5 $1$ludy$bhR/Z7LEe3.L4d.ZK/aT30

username test secret 5 $1$1WcH$zyEruqlm/ui/XFTscMBvD.

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key kewpievpn address 218.b.b.233

crypto isakmp key kewpievpn address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

match address 103

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.b.b.233

set peer 218.b.b.233

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

!

interface BRI0

no ip address

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

ip flow ingress

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 60.a.a.53 255.255.255.252

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname kewpi@tmnet

ppp chap password 0 qqqqq

ppp pap sent-username kewpi@tmnet password 0 qqqqq

no cdp enable

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 60.a.a.52 0.0.0.3

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 60.a.a.0 0.0.0.255 218.b.b.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 60.a.a.0 0.0.0.255 218.b.b.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 60.a.a.52 0.0.0.3 any

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

Dear all,

Have any idea bout this?

Hi,

The tunnel now is up and running.

Cisco 887 act as a ADSL modem and ASA 5510 does the tunneling.

TQ all.