cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1544
Views
0
Helpful
10
Replies

SR520 to SR520W Site-to-Site VPN services problem

malough_j
Level 1
Level 1

i have established a IPSec tunnel successfully, and can ping devices both ways; but when trying to connect to servers from one site to the other, it cannot for whatever reason.

For Example:

     Computer at Pit1 can ping RDP Server at Office.  And RDP Server at Office can ping Computer at Pit1.  When trying to connect to an RDP session on the RDP Server, it says the remote computer cannot be found.  Also, the Computer at Pit1 can ping DC Server at Office, and vice-versa; but cannot connect to file shares.

Windows firewall is disabled on both servers, as well, as the computer.

I have tried playing with MTU values, but this has not seemed to make a difference.

Guru help is, as always, greatly appreciated!

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Hi Jeffry,

A couple of things on your configuration:

1) Crypto ACL is an ACL to define interesting traffic to be encrypted between the VPN tunnel.

On Office router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.

Same on pit1 router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.

I would suggest that you configure a different ACL for the crypto map as well as the class-map/zbfw so when you add or make modification to the ACL it does not affect each other.

2) Crypto ACL needs to be mirror image between the 2 sites. Currently you have:

Office router:

access-list 101 permit ip any host 10.15.0.1
access-list 101 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255

Pit1 router:

access-list 101 permit ip host 67.225.57.7 any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 101 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255

I would suggest that you configure a new ACL# and apply that to the respective crypto map match address statement as follows:

Office router:

access-list 150 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255

crypto map CISCO 10 ipsec-isakmp
  no match address 101

  match address 150

Pit1 router:

access-list 150 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255

crypto map CISCO 10 ipsec-isakmp
  no match address 101

  match address 150

3) Lastly, I am guessing base on your configuration that you are trying to RDP to 10.15.0.1, 10.15.0.2 and 10.15.1.99. If you are, then you won't be able to RDP to the private ip addresses via the VPN tunnel because of the following NAT configuration:

Office router:

ip nat inside source static tcp 10.15.0.1 3389 interface FastEthernet4 4489
ip nat inside source static tcp 10.15.0.2 3389 interface FastEthernet4 4589

Pit1 router:

ip nat inside source static tcp 10.15.1.99 3389 interface FastEthernet4 8889

For 10.15.0.1, 10.15.0.2, you can add the Office router public ip address into the crypto ACL (as it is static ip address), and you can access those 2 servers from the Pit1 side using its public ip address as per the static PAT port you configured (4489 and 4589).

For 10.15.1.99, you can add Pit1 router public ip address into the crypto ACL. I assume the ip address is also static even though it is DHCP assigned as you have configured static crypto map on Office router for peering with Pit1 router.

To achieve that, if you change the crypto ACL to 150 as per my above point, you can add the following:

Office router:

access-list 150 permit ip host 10.15.1.0 0.0.0.255

access-list 150 permit ip 10.15.0.0 0.0.0.255 host

Pit1 router:

access-list 150 permit ip 10.15.1.0 0.0.0.255 host

access-list 150 permit ip host 10.15.0.0 0.0.0.255

After all of the above changes, pls make sure that you clear the tunnel SA at both end:

clear cry isa sa

clear cry ipsec sa

Hope that helps.

Thanks for the quick reply,

1) Crypto ACL is an ACL to define interesting traffic to be encrypted between the VPN tunnel.

On Office router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.

Same on pit1 router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.

I would suggest that you configure a different ACL for the crypto map as well as the class-map/zbfw so when you add or make modification to the ACL it does not affect each other.

Sorry, but I am not sure how I would go about doing that   Is there a document that I could read regarding how to accomplish this?

2) Crypto ACL needs to be mirror image between the 2 sites. Currently you have:

Office router:

access-list 101 permit ip any host 10.15.0.1
access-list 101 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255

Pit1 router:

access-list 101 permit ip host 67.225.57.7 any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 101 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255

I would suggest that you configure a new ACL# and apply that to the respective crypto map match address statement as follows:

Office router:

access-list 150 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255

crypto map CISCO 10 ipsec-isakmp
  no match address 101

  match address 150

Pit1 router:

access-list 150 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255

crypto map CISCO 10 ipsec-isakmp
  no match address 101

  match address 150

3) Lastly, I am guessing base on your configuration that you are trying to RDP to 10.15.0.1, 10.15.0.2 and 10.15.1.99. If you are, then you won't be able to RDP to the private ip addresses via the VPN tunnel because of the following NAT configuration:

Office router:

ip nat inside source static tcp 10.15.0.1 3389 interface FastEthernet4 4489
ip nat inside source static tcp 10.15.0.2 3389 interface FastEthernet4 4589

Pit1 router:

ip nat inside source static tcp 10.15.1.99 3389 interface FastEthernet4 8889

For 10.15.0.1, 10.15.0.2, you can add the Office router public ip address into the crypto ACL (as it is static ip address), and you can access those 2 servers from the Pit1 side using its public ip address as per the static PAT port you configured (4489 and 4589).

For 10.15.1.99, you can add Pit1 router public ip address into the crypto ACL. I assume the ip address is also static even though it is DHCP assigned as you have configured static crypto map on Office router for peering with Pit1 router.

To achieve that, if you change the crypto ACL to 150 as per my above point, you can add the following:

Office router:

access-list 150 permit ip host 10.15.1.0 0.0.0.255

access-list 150 permit ip 10.15.0.0 0.0.0.255 host

Pit1 router:

access-list 150 permit ip 10.15.1.0 0.0.0.255 host

access-list 150 permit ip host 10.15.0.0 0.0.0.255

After all of the above changes, pls make sure that you clear the tunnel SA at both end:

clear cry isa sa

clear cry ipsec sa

I *think* I entered this correctly.  I did a "#clear crypto isakmp" followed by a "#clear crypto sa" on each router.  then did a "#write" followed by a "#reload"  on each.  when trying to connect to the RDP Server (10.15.0.2) from Computer at Pit (10.15.1.99), it says "cannot connect to computer".  so i then tried to browse file share on the RDP Server as well as the DB Server (10.15.0.1) but said could not find computer.  Ping, still, works both ways.

You would need to RDP to the public ip address of the respective router with the port that you specify in the NAT statement.

if i got rid of the NAT statements, then i could use the internal IP?

what would i need to add to allow microsoft windows file sharing accross the tunnel?

i guess the goal was to have access to either location's network resources as though they were all local.  the software vendor for the application running on the servers at the office, wanted RDP access without having to log on to the vpn; hence why there was NAT.

It kinda baffles me that i cant have NAT access from any computer on the internet and local access through the VPN at the same time, unless i am missing something here - which is a good possibility.

Yes, correct, if you remove the static NAT statements, you can connect using the private IP. But you won't be able to connect from the Internet anymore.

Yeah, unfortunately you can't add "route-map" to bypass the NAT for static PAT on the router. The same would work just fine from ASA firewall.

Microsoft file sharing should work as long as the ip address is in the subnet configured in the crypto ACL.

i believe i have my subnets set correctly in my crpto, but i cannot seem to access any microsoft file shares accross the VPN (not that i will be doing alot of this).

For the RDP, i can live with using the external IP to access rdp.

Try to lower the MSS value on your inside interface and test the connection again.

Example:

interface Vlan1

     ip tcp adjust-mss 1300

i changed the value on both sides, but made no difference.  i am still unable to connect to any shares on either side of the tunnel.

Do you try to access the share by IP address or by name?

Can you please advise the ip address of the shares? Thanks.

Tried via ip address.
10.15.0.1\Share and
10.15.0.2\Share