Re: Site to Site vpn with cisco 877 not working - please help.

moonah235 · ‎03-26-2011

Hi,

I've setup a site to site vpn from our head office firewall (checkpoint) to a new remote office (877). I'm able to ping from head office to Lan ip of 877 and from Lan ip of 877 to any ip address in head office. However i'm unable to ping to or from any other ip address on the 877 Lan. I can see the tunnel being established from Checkpoint to 877 when pinging from head office. When ping from pc on 877 lan to head office there is no attempt to initiate tunnel. Traceroute from pc dosent even get a first hop response from 172.18.0.1 the 877's ip.

This is the first vpn I have configured on a cisco box my background is Checkpoint so i'm sure im making a very simple mistake. Any time you could take to look over this issue would be greatly appriciated.

I've reconfigured the router many times now and also used CCP and still get the same issue. Please see config below:

172.28.0.0/16 <--->(checkpoint)<--->Internet<--->(877)<--->172.18.0.0/24

access-list 150 remark ACL - Vpn

access-list 150 permit ip 172.18.1.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 150 permit ip 172.28.1.0 0.0.0.255 172.18.0.0 0.0.255.255

access-list 151 remark ACL - NAT Route Map

access-list 151 deny ip 172.18.1.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 151 permit ip 172.18.1.0 0.0.0.255 any

route-map RMAP1 permit 1

match ip address 151

ip nat inside source route-map RMAP1 interface Dialer0 overload

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key blahblahblah address 214.43.50.28

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Crypto map CMAP1 1 ipsec-isakmp

description Tunnel to HeadOffice

set transform-set ESP-3DES-SHA

set peer 214.43.50.28

match address 150

exit

Jennifer Halim · ‎03-26-2011

Can you please share the rest of the router config? is there any interfaces ACL that might be blocking the connection? is there any zone based firewall configured? Are you running any routing protocols that might not have remote LAN routed correctly?

Have you tried to ping from the router towards the Check Point LAN sourcing the ping from the router LAN interface?

One minor subnet issue, on your topology you have 172.18.0.0/24, however on your ACL150 and 151, you have 172.18.1.0/24. Can you please confirm whether it is 172.18.0.0/24 or 172.18.1.0/24?

moonah235 · ‎03-26-2011

Hi Jennifer, thanks for getting back to me.

Will dig out the full config now. The subnet is 172.18.1.0/24 and I am able to successfully ping any ip address on the Head office network using the 877's lan ip of 172.18.1.1.

172.18.0.0/24 is a typo does not actually appear in router config. There are no interface ACL's, routing protocols or zone based firewalls (yet) in use.

moonah235 · ‎03-26-2011

Starting to make more sense. While getting the config onto a testrouter I noticed the vpn works fine until I create the route-map. As soon as I delete the route-map and clear the translations it works fine.

Is there something wrong with the configuration of the route map?

route-map RMAP1 permit 1

match ip address 151

ip nat inside source route-map RMAP1 interface Dialer0 overload

access-list 151 remark ACL - NAT Route Map

access-list 151 deny ip 172.18.1.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 151 permit ip 172.18.1.0 0.0.0.255 any

moonah235 · ‎03-26-2011

ok got it now:

route-map nonat permit 10

match ip address 151

ip nat inside source route-map nonat interface Dialer0 overload

Jennifer Halim · ‎03-26-2011

You can configure the "route-map" method, or you can simply just assign ACL directly to the NAT statement as follows:

ip nat inside source list 151 interface Dialer0 overload

"route-map" is typically used if you have more than 1 different route-map policy for NAT statement. If you just have 1 ACL, it's much simpler to just assign the ACL to the NAT statement.

Glad to hear it's working now. Please kindly mark the post as answered so others can learn if you have no further question. Thank you.