Solved: VPN up but cannot ping across

marshal.violet · ‎07-26-2012

Hello,

Have an issue where have two locations trying to get connected. first location has a cisco 861 and a uc500 for the phone system. The second location is using a UC520 for the phones and as the router. Below are the configurations of the 861 and the UC520. Any help would be greatly appereciated!

Cisco 861

Current configuration : 7635 bytes

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1477458744

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1477458744

revocation-check none

rsakeypair TP-self-signed-1477458744

!

crypto pki certificate chain TP-self-signed-1477458744

quit

ip source-route

!

ip cef

no ip domain lookup

ip domain name

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

license udi pid CISCO861-K9 sn fff

!

username admin

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxx address 2.2.2.140 no-xauth

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

crypto map mymap 1 ipsec-isakmp

set peer 1.1.1.140

set transform-set ESP-3DES-SHA

match address SDM_1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 1.1.1.130 255.255.255.240

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex full

speed auto

crypto map mymap

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extendable

ip nat inside source static 10.1.1.23 1.1.1.133

1

ip route 0.0.0.0 0.0.0.0 1.1.1.129

!

ip access-list extended SDM_1

remark CCP_ACL Category=20

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

remark IPSec Rule

ip access-list extended VPN-TRAFFIC

remark CCP_ACL Category=16

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

!

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 0.0.0.0 255.255.255.0

access-list 1 permit any

access-list 23 permit 10.1.1.0 0.0.0.255

access-list 23 permit any

access-list 100 remark CCP_ACL Category=2

access-list 100 remark IPSec Rule

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 permit ip 0.0.0.0 255.255.255.0 any

access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

------------------------------------------------------------------------------------------------------------------------------------------------------

cisco UC520

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key panasonic address 1.1.1.130 no-xauth

!

crypto isakmp client configuration group EZVPN_GROUP_1

key 8888

dns 64.132.94.250 216.136.95.1

pool SDM_POOL_1

acl 105

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

match identity group EZVPN_GROUP_1

client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

crypto map mymap 1 ipsec-isakmp

set peer 1.1.1.130

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

logging enable

logging size 600

hidekeys

!

ip telnet source-interface BVI100

ip tftp source-interface Loopback0

!

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

!

bridge irb

!

interface Loopback0

ip address 10.1.10.2 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

ip address 2.2.2.140 255.255.255.0

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

crypto map mymap

!

interface Integrated-Service-Engine0/0

description cue is initialized with default IMAP group

ip unnumbered BVI100

ip nat inside

ip virtual-reassembly

service-module ip address 172.16.6.2 255.255.255.0

service-module ip default-gateway 172.16.6.1

!

interface Virtual-Template1 type tunnel

ip unnumbered BVI1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

no ip address

ip nat inside

ip virtual-reassembly

bridge-group 1

!

interface Vlan100

no ip address

ip nat inside

ip virtual-reassembly

bridge-group 100

!

interface BVI1

ip address 10.0.0.250 255.255.255.0

ip helper-address 10.0.0.6

ip nat inside

ip virtual-reassembly

!

interface BVI100

ip address 172.16.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

h323-gateway voip interface

h323-gateway voip bind srcaddr 172.16.6.1

!

ip local pool SDM_POOL_1 192.168.2.10 192.168.2.19

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 2.2.2.1

ip route 172.16.6.2 255.255.255.255 Integrated-Service-Engine0/0

!

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip nat inside source list INSIDE_NAT interface FastEthernet0/0 overload

ip nat inside source static tcp 10.0.0.7 80 2.2.2.142 80 extendable

!

ip access-list extended INSIDE_NAT

deny ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

deny ip any 10.1.1.0 0.0.0.255

deny ip any 192.168.3.0 0.0.0.255

deny ip any 172.16.4.0 0.0.0.255

deny ip 10.1.10.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 10.1.10.0 0.0.0.255 any

permit ip 10.0.0.0 0.0.0.255 any

permit ip 172.16.6.0 0.0.0.255 any

ip access-list extended NAT_CUSTOMERS

permit tcp any host 2.2.2.140 eq 4550

!

access-list 100 permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 100 permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 permit ip 172.16.4.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.3.0 0.0.0.255 any

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 10.1.10.0 0.0.0.3 any

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

access-list 105 permit ip 172.16.6.0 0.0.0.255 any

snmp-server community public RO

Javier Portuguez · ‎07-26-2012

Hi Marshal,

Great news, I give you 5 stars

Please mark this question as answered.

Have a nice day.

View solution in original post

marshal.violet · ‎07-26-2012

Actually a reboot of the Cisco 861 seemed to do the trick!

Javier Portuguez · ‎07-26-2012

Hi Marshal,

Great news, I give you 5 stars

Please mark this question as answered.

Have a nice day.