01-06-2011 05:44 PM
i have established a IPSec tunnel successfully, and can ping devices both ways; but when trying to connect to servers from one site to the other, it cannot for whatever reason.
For Example:
Computer at Pit1 can ping RDP Server at Office. And RDP Server at Office can ping Computer at Pit1. When trying to connect to an RDP session on the RDP Server, it says the remote computer cannot be found. Also, the Computer at Pit1 can ping DC Server at Office, and vice-versa; but cannot connect to file shares.
Windows firewall is disabled on both servers, as well, as the computer.
I have tried playing with MTU values, but this has not seemed to make a difference.
Guru help is, as always, greatly appreciated!
01-06-2011 06:40 PM
Hi Jeffry,
A couple of things on your configuration:
1) Crypto ACL is an ACL to define interesting traffic to be encrypted between the VPN tunnel.
On Office router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.
Same on pit1 router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.
I would suggest that you configure a different ACL for the crypto map as well as the class-map/zbfw so when you add or make modification to the ACL it does not affect each other.
2) Crypto ACL needs to be mirror image between the 2 sites. Currently you have:
Office router:
access-list 101 permit ip any host 10.15.0.1
access-list 101 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255
Pit1 router:
access-list 101 permit ip host 67.225.57.7 any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 101 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255
I would suggest that you configure a new ACL# and apply that to the respective crypto map match address statement as follows:
Office router:
access-list 150 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255
crypto map CISCO 10 ipsec-isakmp
no match address 101
match address 150
Pit1 router:
access-list 150 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255
crypto map CISCO 10 ipsec-isakmp
no match address 101
match address 150
3) Lastly, I am guessing base on your configuration that you are trying to RDP to 10.15.0.1, 10.15.0.2 and 10.15.1.99. If you are, then you won't be able to RDP to the private ip addresses via the VPN tunnel because of the following NAT configuration:
Office router:
ip nat inside source static tcp 10.15.0.1 3389 interface FastEthernet4 4489
ip nat inside source static tcp 10.15.0.2 3389 interface FastEthernet4 4589
Pit1 router:
ip nat inside source static tcp 10.15.1.99 3389 interface FastEthernet4 8889
For 10.15.0.1, 10.15.0.2, you can add the Office router public ip address into the crypto ACL (as it is static ip address), and you can access those 2 servers from the Pit1 side using its public ip address as per the static PAT port you configured (4489 and 4589).
For 10.15.1.99, you can add Pit1 router public ip address into the crypto ACL. I assume the ip address is also static even though it is DHCP assigned as you have configured static crypto map on Office router for peering with Pit1 router.
To achieve that, if you change the crypto ACL to 150 as per my above point, you can add the following:
Office router:
access-list 150 permit ip host
access-list 150 permit ip 10.15.0.0 0.0.0.255 host
Pit1 router:
access-list 150 permit ip 10.15.1.0 0.0.0.255 host
access-list 150 permit ip host
After all of the above changes, pls make sure that you clear the tunnel SA at both end:
clear cry isa sa
clear cry ipsec sa
Hope that helps.
01-06-2011 08:34 PM
Thanks for the quick reply,
1) Crypto ACL is an ACL to define interesting traffic to be encrypted between the VPN tunnel.
On Office router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.
Same on pit1 router: you are using ACL 101, however, ACL 101 is applied to both the crypto map as well as your class-map/zbfw.
I would suggest that you configure a different ACL for the crypto map as well as the class-map/zbfw so when you add or make modification to the ACL it does not affect each other.
Sorry, but I am not sure how I would go about doing that Is there a document that I could read regarding how to accomplish this?
2) Crypto ACL needs to be mirror image between the 2 sites. Currently you have:
Office router:
access-list 101 permit ip any host 10.15.0.1
access-list 101 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255Pit1 router:
access-list 101 permit ip host 67.225.57.7 any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 101 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255I would suggest that you configure a new ACL# and apply that to the respective crypto map match address statement as follows:
Office router:
access-list 150 permit ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255
crypto map CISCO 10 ipsec-isakmp
no match address 101match address 150
Pit1 router:
access-list 150 permit ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255
crypto map CISCO 10 ipsec-isakmp
no match address 101match address 150
3) Lastly, I am guessing base on your configuration that you are trying to RDP to 10.15.0.1, 10.15.0.2 and 10.15.1.99. If you are, then you won't be able to RDP to the private ip addresses via the VPN tunnel because of the following NAT configuration:
Office router:
ip nat inside source static tcp 10.15.0.1 3389 interface FastEthernet4 4489
ip nat inside source static tcp 10.15.0.2 3389 interface FastEthernet4 4589Pit1 router:
ip nat inside source static tcp 10.15.1.99 3389 interface FastEthernet4 8889
For 10.15.0.1, 10.15.0.2, you can add the Office router public ip address into the crypto ACL (as it is static ip address), and you can access those 2 servers from the Pit1 side using its public ip address as per the static PAT port you configured (4489 and 4589).
For 10.15.1.99, you can add Pit1 router public ip address into the crypto ACL. I assume the ip address is also static even though it is DHCP assigned as you have configured static crypto map on Office router for peering with Pit1 router.
To achieve that, if you change the crypto ACL to 150 as per my above point, you can add the following:
Office router:
access-list 150 permit ip host
10.15.1.0 0.0.0.255 access-list 150 permit ip 10.15.0.0 0.0.0.255 host
Pit1 router:
access-list 150 permit ip 10.15.1.0 0.0.0.255 host
access-list 150 permit ip host
10.15.0.0 0.0.0.255 After all of the above changes, pls make sure that you clear the tunnel SA at both end:
clear cry isa sa
clear cry ipsec sa
I *think* I entered this correctly. I did a "#clear crypto isakmp" followed by a "#clear crypto sa" on each router. then did a "#write" followed by a "#reload" on each. when trying to connect to the RDP Server (10.15.0.2) from Computer at Pit (10.15.1.99), it says "cannot connect to computer". so i then tried to browse file share on the RDP Server as well as the DB Server (10.15.0.1) but said could not find computer. Ping, still, works both ways.
01-06-2011 08:50 PM
You would need to RDP to the public ip address of the respective router with the port that you specify in the NAT statement.
01-06-2011 09:48 PM
if i got rid of the NAT statements, then i could use the internal IP?
what would i need to add to allow microsoft windows file sharing accross the tunnel?
i guess the goal was to have access to either location's network resources as though they were all local. the software vendor for the application running on the servers at the office, wanted RDP access without having to log on to the vpn; hence why there was NAT.
It kinda baffles me that i cant have NAT access from any computer on the internet and local access through the VPN at the same time, unless i am missing something here - which is a good possibility.
01-06-2011 10:06 PM
Yes, correct, if you remove the static NAT statements, you can connect using the private IP. But you won't be able to connect from the Internet anymore.
Yeah, unfortunately you can't add "route-map" to bypass the NAT for static PAT on the router. The same would work just fine from ASA firewall.
Microsoft file sharing should work as long as the ip address is in the subnet configured in the crypto ACL.
01-07-2011 06:43 AM
i believe i have my subnets set correctly in my crpto, but i cannot seem to access any microsoft file shares accross the VPN (not that i will be doing alot of this).
For the RDP, i can live with using the external IP to access rdp.
01-07-2011 03:38 PM
Try to lower the MSS value on your inside interface and test the connection again.
Example:
interface Vlan1
ip tcp adjust-mss 1300
01-11-2011 07:04 PM
i changed the value on both sides, but made no difference. i am still unable to connect to any shares on either side of the tunnel.
01-13-2011 01:25 AM
Do you try to access the share by IP address or by name?
Can you please advise the ip address of the shares? Thanks.
01-13-2011 11:30 AM
Tried via ip address.
10.15.0.1\Share and
10.15.0.2\Share
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide