Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
2
Replies

VPN site to site, can ping WAN IP, but cannot reach internal

trinhphanle
Level 1
Level 1

‎01-16-2014 02:03 PM

Hi all

I need your help. I have 02 router cisco 892 for VPN site to site. I reconfigured the second one and they can ping public IP together.

However they cannot ping other site's internal IP address. The second one does not have certificate like the first one. I am not sure

that is the problem, because both use pre-share key. I think they do not need certificate method for VPN, am I right?

And what is the problem when I cannot reach internal network?

Thanks for your help

This is the 1st site:

Current configuration : 3903 bytes

!

! No configuration change since last restart

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AtoB

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

no aaa new-model

!

!

!

!

crypto pki trustpoint TP-self-signed-1651087387

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1651087387

revocation-check none

rsakeypair TP-self-signed-1651087387

!

!

crypto pki certificate chain TP-self-signed-1651087387

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31363531 30383733 3837301E 170D3132 30353136 31363031

  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353130

  38373338 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B528 FD72495D E0D64EF4 A2B151C7 90B44259 1B85C7D3 8D573F85 C5860A98

  1E26DCCD 7DA88812 6CE0A895 E7FDAAD0 702A784A 2E944B2E 9CEAEB91 CD83F5F0

  05C67D87 AFE4E134 45CADF52 FF6FD574 E9DA75EC 5D90B8AC 96767712 03B70EC6

  E8236C5B 7B640706 E700F0CC CE307B37 FA30ED11 CA47B150 5C115824 F2666446

  EB5D0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

  551D1104 18301682 14545874 6F57492E 64696365 6E747261 6C2E636F 6D301F06

  03551D23 04183016 8014E22C 54C27FAA 781F4281 8B2ADB89 A3611810 91BA301D

  0603551D 0E041604 14E22C54 C27FAA78 1F42818B 2ADB89A3 61181091 BA300D06

  092A8648 86F70D01 01040500 03818100 AE4A5C93 C82813E8 3AC6E090 34497670

  B68D1309 DC4FA25D BB4211D1 55696D95 DAB45092 5F2D7391 B0D36F80 3618E3D1

  F195257B 4CF873C0 14E437EB 1CD436D9 664B33D0 FFED62BC 71BE4A68 765BCA64

  06DFF9E8 40EE7EAD 5452D677 F54FDBA2 5B811CE0 8D975F10 187FD672 C204F41F

  32EC5DFB F47F7AD4 03ABF4AE 2CC0FD73

        quit

ip source-route

!

!

!

!

ip cef

ip domain name xxxxxxxxxxxx

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FGL154924F3

!

!

username xxxxxx privilege 15 secret 5 $1$cC3.$L.CJ4QnVE19y7OUfuOg370

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address x.x.x.74

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel tox.x.x.74

set peer x.x.x.x

set peer x.x.x.74

set transform-set ESP-3DES-SHA

match address VPNAccessList

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ETH-WAN$

ip address x.x.x.84 y.y.y.240

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface Vlan1

ip address x.x.0.10 255.y.y.y

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 0.0.0.0 0.0.0.0 x.x.x.94

!

ip access-list extended VPNAccessList

remark iucudhoa

permit ip 10.x.x.x 0.255.255.255 192.x.x.0 0.0.0.255

!

!

!

!

!

!

!

control-plane

!

!

banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

line aux 0

line vty 0

login local

transport input telnet ssh

transport output telnet ssh

line vty 1 4

login

!

scheduler max-task-time 5000

end

-----------------------------------------------------------------------------------------------------------------------------------------------------

This is 2nd site:

Current configuration : 2165 bytes

!

! Last configuration change at 21:36:14 UTC Thu Jan 16 2014 by admin

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BtoA

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

!

!

ip source-route

!

!

!

!

ip cef

ip domain name xxxxxxxxxx

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FGL15412386

!

!

username admin privilege 15 secret 5 $1$1vxH$mKWoPLIGv8lrAbtFHQfIr.

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address x.x.x.84

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x.x.x.84 (Test line)

set peer x.x.x.84

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address VPNAccessList

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

!

interface FastEthernet0

shutdown

!

!

interface FastEthernet1

shutdown

!

!

interface FastEthernet2

shutdown

!

!

interface FastEthernet3

shutdown

!

!

interface FastEthernet4

shutdown

!

!

interface FastEthernet5

shutdown

!

!

interface FastEthernet6

shutdown

!

!

interface FastEthernet7

shutdown

!

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0

description ETH-WAN

ip address x.x.x.74 y.y.y.248

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface Vlan1

no ip address

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 x.x.x.73

!

ip access-list extended VPNAccessList

remark for VPN

permit ip 192.x.x.0 0.0.0.255 10.x.x.0 0.255.255.255

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 5000 0

logging synchronous

login local

line aux 0

line vty 0 4

login local

transport input telnet ssh

transport output telnet ssh

line vty 5 15

login local

transport input telnet ssh

transport output telnet ssh

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
2 Replies 2

m.kafka
Level 4
Level 4

‎01-19-2014 06:10 AM

I don't see an IP address for the LAN on "2nd site"

0 Helpful

trinhphanle
Level 1
Level 1
In response to m.kafka

‎01-19-2014 08:54 AM

Sorry m.kafka

The IP address in the 2nd site is:

Fast Ether 8: 192.168.x.x 255.x.x.x

Do I need route for those 02 router? Because they are VPN router, I think not need, but you can correct me.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents