Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING!

Discussion in 'Cisco' started by Suppa Lamah, Dec 18, 2003.

  1. Suppa Lamah

    Suppa Lamah Guest

    I successfully (at least I thought so) created an IPSec connection between
    two 12.2 IOS Cisco 837-K9.

    I followed step-by-step several Cisco documents and FAQ, and I had, after
    several tries, the IsaKmp SAs up and running, and the traffic correctly
    routed via NAT or thrown in the VPN tunnel.

    My PC clients on the separate, private networks (192.168.0.0 and
    192.168.1.0) are able to both navigate the Internet via NAT, and ping the
    hosts on the other side of the VPN connection. I also checked for known MTUs
    problems, and I can use 15.000 bytes ICMP packets going in and out without
    losing any.

    What I cannot do is... anything else! :)

    I sees any connection requesting more than a given, short amout of resources
    (cannot tell if a number of open ports is the issue, or, much more probable,
    some timeout on TCP connections) just fails.

    Example: I can successfully map a "NET USE LPT2: \\192.168.0.10\QUEUE1"
    printer on the other side of the connection, AND print a very short, DOS
    document (example: "dir > test.txt", followed by "copy test.txt lpt2:"). If
    I try to print a Windows document via Wordpad it fails ("the network name
    cannot be found" and such, like the connection was dropped in the middle of
    the operation).

    I can successfully map a drive "NET USE K: \\192.168.0.10\HARDDISK", but a
    "DIR K:\" command results in only the volume label being shown, after that
    couple lines... no more communications take place.

    I also verified that using a remote control software such as VNC
    (http://www.realvnc.com) I can successfully open the remote screen AND MOVE
    THE MOUSE (this is told to me from a person being on the other side),
    although I am unable to see anything because I have a black screen, and the
    session fails soon...

    I tried anything I could think of... I downloaded and checked several
    documents with VPN examples, but to no avail.

    I also removed, to be very, very sure about it, ALL access lists on the
    external interfaces on both sides (then verified by using an external port
    scanner which confirmed all ports were open).

    Does anybody experienced anything similare and could help? Thanks in
    advance...


    Suppa Lamah
     
    Suppa Lamah, Dec 18, 2003
    #1
    1. Advertising

  2. Suppa Lamah

    Rik Bain Guest

    On Thu, 18 Dec 2003 07:10:26 -0600, Suppa Lamah wrote:

    > I successfully (at least I thought so) created an IPSec connection
    > between two 12.2 IOS Cisco 837-K9.
    >
    > I followed step-by-step several Cisco documents and FAQ, and I had,
    > after several tries, the IsaKmp SAs up and running, and the traffic
    > correctly routed via NAT or thrown in the VPN tunnel.
    >
    > My PC clients on the separate, private networks (192.168.0.0 and
    > 192.168.1.0) are able to both navigate the Internet via NAT, and ping
    > the hosts on the other side of the VPN connection. I also checked for
    > known MTUs problems, and I can use 15.000 bytes ICMP packets going in
    > and out without losing any.
    >
    > What I cannot do is... anything else! :)
    >
    > I sees any connection requesting more than a given, short amout of
    > resources (cannot tell if a number of open ports is the issue, or, much
    > more probable, some timeout on TCP connections) just fails.
    >
    > Example: I can successfully map a "NET USE LPT2: \\192.168.0.10\QUEUE1"
    > printer on the other side of the connection, AND print a very short, DOS
    > document (example: "dir > test.txt", followed by "copy test.txt lpt2:").
    > If I try to print a Windows document via Wordpad it fails ("the network
    > name cannot be found" and such, like the connection was dropped in the
    > middle of the operation).
    >
    > I can successfully map a drive "NET USE K: \\192.168.0.10\HARDDISK", but
    > a "DIR K:\" command results in only the volume label being shown, after
    > that couple lines... no more communications take place.
    >
    > I also verified that using a remote control software such as VNC
    > (http://www.realvnc.com) I can successfully open the remote screen AND
    > MOVE THE MOUSE (this is told to me from a person being on the other
    > side), although I am unable to see anything because I have a black
    > screen, and the session fails soon...
    >
    > I tried anything I could think of... I downloaded and checked several
    > documents with VPN examples, but to no avail.
    >
    > I also removed, to be very, very sure about it, ALL access lists on the
    > external interfaces on both sides (then verified by using an external
    > port scanner which confirmed all ports were open).
    >
    > Does anybody experienced anything similare and could help? Thanks in
    > advance...
    >
    >
    > Suppa Lamah



    Sounds like an MTU issue. Lower the MTU on one of your workstations and
    test the same activities that you mentioned above.
     
    Rik Bain, Dec 18, 2003
    #2
    1. Advertising

  3. "Suppa Lamah" <> wrote in message
    news:6HhEb.9934$...

    > I also checked for known MTUs
    > problems, and I can use 15.000 bytes ICMP packets going in and out without
    > losing any.


    With or without the -f parameter? To test MTU you need to use this
    parameter.

    Richard.
     
    Richard Antony Burton, Dec 18, 2003
    #3
  4. Suppa Lamah

    Graeme Guest

    With very little CISCO knowledge I managed to set up [ipsec VPN tunnels
    between a couple of 837's using SDM

    the hard bit [for me] was upgrading the IOS i bought both routers around the
    same time but one had a older image and didn't support SDM. copied image
    from new router to older router and everytihing works fine.

    Image name: c837-k9o3sy6-mz.122-13.ZH.bin

    Ignore this comment if it's completely irrelevent, i don't even know what an
    MTU is :eek:)

    I can let you have configs if that helps?

    Regards,

    G.
     
    Graeme, Dec 18, 2003
    #4
  5. Suppa Lamah

    TEM Guest

    I had a similar problem with a 837 to 804 VPN. The examples that I followed
    did not include a loopback address on the responding router to bypass the
    NAT translation. If you are also using NAT for internet traffic, you have to
    use a loopback interface with a "fake" ip and a route map to route
    interesting traffic away from the NAT. I found an example on cisco.com


    "Suppa Lamah" <> wrote in message
    news:6HhEb.9934$...
    > I successfully (at least I thought so) created an IPSec connection between
    > two 12.2 IOS Cisco 837-K9.
    >
    > I followed step-by-step several Cisco documents and FAQ, and I had, after
    > several tries, the IsaKmp SAs up and running, and the traffic correctly
    > routed via NAT or thrown in the VPN tunnel.
    >
    > My PC clients on the separate, private networks (192.168.0.0 and
    > 192.168.1.0) are able to both navigate the Internet via NAT, and ping the
    > hosts on the other side of the VPN connection. I also checked for known

    MTUs
    > problems, and I can use 15.000 bytes ICMP packets going in and out without
    > losing any.
    >
    > What I cannot do is... anything else! :)
    >
    > I sees any connection requesting more than a given, short amout of

    resources
    > (cannot tell if a number of open ports is the issue, or, much more

    probable,
    > some timeout on TCP connections) just fails.
    >
    > Example: I can successfully map a "NET USE LPT2: \\192.168.0.10\QUEUE1"
    > printer on the other side of the connection, AND print a very short, DOS
    > document (example: "dir > test.txt", followed by "copy test.txt lpt2:").

    If
    > I try to print a Windows document via Wordpad it fails ("the network name
    > cannot be found" and such, like the connection was dropped in the middle

    of
    > the operation).
    >
    > I can successfully map a drive "NET USE K: \\192.168.0.10\HARDDISK", but a
    > "DIR K:\" command results in only the volume label being shown, after that
    > couple lines... no more communications take place.
    >
    > I also verified that using a remote control software such as VNC
    > (http://www.realvnc.com) I can successfully open the remote screen AND

    MOVE
    > THE MOUSE (this is told to me from a person being on the other side),
    > although I am unable to see anything because I have a black screen, and

    the
    > session fails soon...
    >
    > I tried anything I could think of... I downloaded and checked several
    > documents with VPN examples, but to no avail.
    >
    > I also removed, to be very, very sure about it, ALL access lists on the
    > external interfaces on both sides (then verified by using an external port
    > scanner which confirmed all ports were open).
    >
    > Does anybody experienced anything similare and could help? Thanks in
    > advance...
    >
    >
    > Suppa Lamah
    >
    >
    >
     
    TEM, Dec 18, 2003
    #5
  6. Suppa Lamah

    Suppa Lamah Guest

    How could I be so silly, no, I didn't use the -f parameter.

    But, suspecting MTUs issues, I read and applied blindly several known tips
    about MTUs:

    - ip tcp adjust-mss 1452 ---> eth0
    - ip MTU 1492 ---> atm0 / atm0.1 (on point-to-point connections)
    - ip tcp adjust-mss 1452 ---> dialer1 (on pppoe connections)

    I will re-issue the ping test, anyway, thanks for your input.

    Suppa Lamah


    > > I also checked for known MTUs
    > > problems, and I can use 15.000 bytes ICMP packets going in and out

    without
    > > losing any.

    >
    > With or without the -f parameter? To test MTU you need to use this
    > parameter.
     
    Suppa Lamah, Dec 18, 2003
    #6
  7. Suppa Lamah

    Suppa Lamah Guest

    Being a Cisco newbye, I initially set up my 837 boxes with SDM, but giving
    that I didn't understand much of what was produced (and neither it worked as
    I desired) I decided to catch che opportunity to learn more... so I
    basically studied for several weeks in my spare time to be able to learn the
    basics of Cisco IOSs... and to configure this 837 manually.

    Now with my new experiences I understand I could just use SDM, like you did,
    and given the VPN thing works fine I can dump it and analyze it
    line-by-line. It will be a lenghty process, but could eventually solve the
    issue.

    Suppa Lamah

    > the hard bit [for me] was upgrading the IOS i bought both routers around

    the
    > same time but one had a older image and didn't support SDM. copied image
    > from new router to older router and everytihing works fine.
     
    Suppa Lamah, Dec 19, 2003
    #7
  8. Suppa Lamah

    Suppa Lamah Guest

    Tem, this could be the real thing. I didn't use a loopback either, although
    I saw it used in Cisco router configurations regarding the same ISP's ADSL
    connections, because I could not fully understand its mechanics, so I
    decided to stick with the little knowledge I had and to configure my ADSL
    with just an ATM0.1 sub-interface.

    Could you please retrieve the example you cited and send me some references?
    Thanks in advance.

    Suppa Lamah


    "TEM" <> ha scritto nel messaggio
    news:H8qEb.173938$...
    > I had a similar problem with a 837 to 804 VPN. The examples that I

    followed
    > did not include a loopback address on the responding router to bypass the
    > NAT translation. If you are also using NAT for internet traffic, you have

    to
    > use a loopback interface with a "fake" ip and a route map to route
    > interesting traffic away from the NAT. I found an example on cisco.com
    >
    >
    > "Suppa Lamah" <> wrote in message
    > news:6HhEb.9934$...
    > > I successfully (at least I thought so) created an IPSec connection

    between
    > > two 12.2 IOS Cisco 837-K9.
    > >
    > > I followed step-by-step several Cisco documents and FAQ, and I had,

    after
    > > several tries, the IsaKmp SAs up and running, and the traffic correctly
    > > routed via NAT or thrown in the VPN tunnel.
    > >
    > > My PC clients on the separate, private networks (192.168.0.0 and
    > > 192.168.1.0) are able to both navigate the Internet via NAT, and ping

    the
    > > hosts on the other side of the VPN connection. I also checked for known

    > MTUs
    > > problems, and I can use 15.000 bytes ICMP packets going in and out

    without
    > > losing any.
    > >
    > > What I cannot do is... anything else! :)
    > >
    > > I sees any connection requesting more than a given, short amout of

    > resources
    > > (cannot tell if a number of open ports is the issue, or, much more

    > probable,
    > > some timeout on TCP connections) just fails.
     
    Suppa Lamah, Dec 19, 2003
    #8
  9. Suppa Lamah

    TEM Guest

    I think the following will cover it.

    int loopback1

    ip address 172.16.1.1 255.255.255.0



    int e0

    ip policy route-map nonat



    route-map nonat permit 10

    match ip address 120

    set ip next-hop 172.16.1.2



    access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255



    ip nat inside source list 102 interface e0



    access-list 102 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

    access-list 102 permit ip 192.168.1.0 0.0.0.255 any





    where the responding LAN is the 192 address and the 10 address is the
    initiating address.



    The idea is to block VPN traffic from the outbound interface (and NAT) and
    route it to the loopback. The VPN traffic goes to the loopback, comes back
    out to the outbound interface and is not recognized as needing NAT.



    I'm sure this is not the most graceful way to do it but it worked for me.





    "Suppa Lamah" <> wrote in message
    news:qjrEb.12707$...
    > Tem, this could be the real thing. I didn't use a loopback either,

    although
    > I saw it used in Cisco router configurations regarding the same ISP's ADSL
    > connections, because I could not fully understand its mechanics, so I
    > decided to stick with the little knowledge I had and to configure my ADSL
    > with just an ATM0.1 sub-interface.
    >
    > Could you please retrieve the example you cited and send me some

    references?
    > Thanks in advance.
    >
    > Suppa Lamah
    >
    >
    > "TEM" <> ha scritto nel messaggio
    > news:H8qEb.173938$...
    > > I had a similar problem with a 837 to 804 VPN. The examples that I

    > followed
    > > did not include a loopback address on the responding router to bypass

    the
    > > NAT translation. If you are also using NAT for internet traffic, you

    have
    > to
    > > use a loopback interface with a "fake" ip and a route map to route
    > > interesting traffic away from the NAT. I found an example on cisco.com
    > >
    > >
    > > "Suppa Lamah" <> wrote in message
    > > news:6HhEb.9934$...
    > > > I successfully (at least I thought so) created an IPSec connection

    > between
    > > > two 12.2 IOS Cisco 837-K9.
    > > >
    > > > I followed step-by-step several Cisco documents and FAQ, and I had,

    > after
    > > > several tries, the IsaKmp SAs up and running, and the traffic

    correctly
    > > > routed via NAT or thrown in the VPN tunnel.
    > > >
    > > > My PC clients on the separate, private networks (192.168.0.0 and
    > > > 192.168.1.0) are able to both navigate the Internet via NAT, and ping

    > the
    > > > hosts on the other side of the VPN connection. I also checked for

    known
    > > MTUs
    > > > problems, and I can use 15.000 bytes ICMP packets going in and out

    > without
    > > > losing any.
    > > >
    > > > What I cannot do is... anything else! :)
    > > >
    > > > I sees any connection requesting more than a given, short amout of

    > > resources
    > > > (cannot tell if a number of open ports is the issue, or, much more

    > > probable,
    > > > some timeout on TCP connections) just fails.

    >
    >
     
    TEM, Dec 19, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,731
    Confused
    Jul 9, 2003
  2. aldousd666
    Replies:
    0
    Views:
    2,771
    aldousd666
    Jul 11, 2003
  3. Replies:
    4
    Views:
    4,174
  4. Chris Bales

    ADSL Dropping But not Dropping!!

    Chris Bales, Aug 28, 2004, in forum: Computer Support
    Replies:
    9
    Views:
    706
    Lee Bales
    Aug 29, 2004
  5. Replies:
    2
    Views:
    3,108
Loading...

Share This Page