07-29-2012 10:21 AM
Hi there. I'm sure this comes up a lot but I am tearing my hear out and don't have the required cisco skills to troubleshoot this problem. I am hoping someone here may spot what is wrong in my configuration.
Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).
The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.
Just so you know, the 1841 device already has a functioning VPN tunnel to another site, in case that confuses anyone. The peers I am concerned about are 141.0.59.x and 109.238.78.x.
Many thanks.
Solved! Go to Solution.
07-30-2012 09:23 AM
Hi Haydin,
You have the following:
ip access-list extended port-forwards
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
Not sure why you have the whole network in there with the any keyword, you better create a static one to one translation.
Could you please take it out and give it a try?
ip access-list extended port-forwards
no permit ip 192.168.1.0 0.0.0.255 any
Thanks in advance.
07-29-2012 11:17 AM
Actually it may be working. I might be being a bit dense. I didn't consider which address my router was pinging from when I tested this. Fingers crossed it looks like its actually working.
07-29-2012 01:00 PM
Hello Haydn,
I just went through both configuations and they both look perfect ( Crypto ACLs, NAT, IPSEC parameters,Isakmp parameters,etc)
Let me know if this is indeed working or if you need some assistance as I will require you to run some debugs,
Regards,
Julio
Rate all the helpful posts
07-29-2012 03:43 PM
Hi there
I agree with Julio (5 stars), so far so good.
Let us know if you run into any issues.
Rate any post you find useful.
07-29-2012 03:52 PM
Thanks for the replies.
Seems there may still be some issues. Once this VPN connection is created, machines on the local subnets loose their ability to comunicate with the internet. It seems they are only able to comunicate over the local subnet and the site to site VPN.
Very odd.
I will have a chance to test it properly tomorrow, once I am onsite.
07-29-2012 10:45 PM
Hello Haydn,
On witch router does that happen ( users cannot communicate across the internet) so we can focus and work on that?
Regards
Julio
07-30-2012 02:04 AM
It appears to be happening on both the routers. I am going to double check this later tonight. Unfortunatly, as one of the offices is live, I cannot play around with this during the day.
Many thanks again for your help.
07-29-2012 10:57 PM
Hey,
Your problem may be related to your routing table.
Looking at the config of the router 1811 you have "ip route 0.0.0.0 0.0.0.0 141.0.59.x" which is correct for internet traffic.
Try pinging a public IP using the internal interface as source like:"ping 8.8.8.8 source Fastethernet1" and see if it works.
if it isn't the routing I guess it will be an access list that you created while creating the VPN.
HTH,
Fabio
07-30-2012 05:27 AM
Hi,
I agree with Fabio.
The routing portion seems to be OK, unless I am overlooking at something it should be working fine.
Please try it and let me know.
07-30-2012 08:59 AM
Interestingly I tried the site to site again today and the 1811 device could quite happily communicate over the VPN and over the WAN. Only the 1841 was having problems. Could you look at the configuration of the routing on the 1841 device. I don't actually configure this one (was originally managed by the ISP) and it all looks rather messy, Unfortunately the ISP now refuse to touch the thing which is rather nightmarish.
07-30-2012 09:23 AM
Hi Haydin,
You have the following:
ip access-list extended port-forwards
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
Not sure why you have the whole network in there with the any keyword, you better create a static one to one translation.
Could you please take it out and give it a try?
ip access-list extended port-forwards
no permit ip 192.168.1.0 0.0.0.255 any
Thanks in advance.
07-30-2012 09:58 AM
You sir are a gentleman and a scholar. I think I want to have your babies.
I will mark yours as the answer in a few minutes. Once I know I'm not seeing things.
07-30-2012 11:07 AM
Wow what a nice comment!!! :$ hahaha
Feel free to count on us at any time ;-)
Take care
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide