site-to-site VPN between a 1721 and a 857

Discussion in 'Cisco' started by R, Aug 30, 2005.

  1. R

    R Guest

    Hello there. I am rather new at this, but I spent quite some time on it with
    not much of a result so far. Here's the situation : I have setup a site to
    site VPN between a Cisco 1721 and a Cisco 857. The tunnel comes up, and I
    can do some things accross it, like :

    - from a machine in LAN A, I can ping the interface of the other router in
    LAN B.
    - I can do the opposite as well.
    - but, when I ping a machine of LAN B from a machine of LAN A, only the
    first packet comes back ! This is also true if I ping A from B. If I wait a
    couple minutes, I can do it again, and with the same result : first packet
    gets an answer, not the others!

    For those interested in the problem, here are sanitized configs :

    On the 857 side :
    ---
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname company-gentilly
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    !
    username theboss privilege 15 password 0 password
    clock timezone PCTime 1
    no aaa new-model
    ip subnet-zero
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.241.151.64 10.241.151.254
    ip dhcp ping timeout 1000
    !
    ip dhcp pool sdm-pool
    import all
    network 10.241.151.0 255.255.255.0
    default-router 10.241.151.254
    dns-server 10.241.17.2 80.80.80.1
    netbios-name-server 10.241.17.10
    !
    ip dhcp pool poste1
    host 10.241.151.1 255.255.255.0
    client-identifier 0040.ca5e.0b05
    client-name poste1
    !
    ip dhcp pool poste2
    host 10.241.151.2 255.255.255.0
    client-identifier 0010.b5ff.ac9d
    client-name poste2
    !
    ip dhcp pool imprimante
    host 10.241.151.10 255.255.255.0
    client-identifier 0001.e6aa.ea8b
    client-name imprimante
    !
    !
    no ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip name-server 80.80.80.1
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key a1s2d3f4g5 address 81.81.81.216
    crypto isakmp key a1s2d3f4g5 address 81.171.158.190
    !
    !
    crypto ipsec transform-set togodo-transform-set esp-des esp-md5-hmac
    crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
    crypto ipsec transform-set md5-des-tunnel esp-des esp-md5-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel vers siege company
    set peer 81.81.81.216
    set security-association lifetime seconds 86400
    set transform-set togodo-transform-set
    set pfs group2
    match address 102
    reverse-route
    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel vers UK
    set peer 81.171.158.190
    set transform-set togodo-transform-set
    match address 103
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    ip address 10.241.151.254 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname debit
    ppp chap password 0 pbofsa123*
    crypto map SDM_CMAP_1
    crypto ipsec df-bit clear
    !
    router rip
    version 2
    network 10.0.0.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
    ip nat outside source static tcp 81.81.81.224 5901 10.241.151.1 5900
    extendable
    ip nat outside source static tcp 81.81.81.224 5902 10.241.151.2 5900
    extendable
    ip nat outside source static tcp 81.81.81.224 5903 10.241.151.3 5900
    extendable
    ip nat outside source static tcp 81.81.81.224 5904 10.241.151.4 5900
    extendable
    ip nat outside source static tcp 81.81.81.224 5905 10.241.151.5 5900
    extendable
    !
    ip access-list extended NAT-togodo
    remark NAT togodo
    remark SDM_ACL Category=2
    remark IPSec Rule
    deny ip 10.241.151.0 0.0.0.255 10.217.100.0 0.0.0.255
    remark IPSec Rule
    deny ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
    permit ip 10.241.151.0 0.0.0.255 any
    !
    access-list 1 remark SDM_ACL Category=1
    access-list 1 permit 81.81.81.218 log
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.217.100.0 0.0.0.255 10.241.151.0 0.0.0.255
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
    access-list 101 permit udp host 81.81.81.216 any eq non500-isakmp
    access-list 101 permit udp host 81.81.81.216 any eq isakmp
    access-list 101 permit esp host 81.81.81.216 any
    access-list 101 permit ahp host 81.81.81.216 any
    access-list 101 remark Auto generated by SDM for NTP (123) 192.93.2.20
    access-list 101 permit udp host 192.93.2.20 eq ntp host 81.81.81.224 eq ntp
    access-list 101 permit ahp host 81.81.81.216 host 81.81.81.224
    access-list 101 permit esp host 81.81.81.216 host 81.81.81.224
    access-list 101 permit udp host 81.81.81.216 host 81.81.81.224 eq isakmp
    access-list 101 permit udp host 81.81.81.216 host 81.81.81.224 eq
    non500-isakmp
    access-list 101 permit ahp host 81.171.158.190 host 81.81.81.224
    access-list 101 permit esp host 81.171.158.190 host 81.81.81.224
    access-list 101 permit udp host 81.171.158.190 host 81.81.81.224 eq isakmp
    access-list 101 permit udp host 81.171.158.190 host 81.81.81.224 eq
    non500-isakmp
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.217.0.0 0.0.255.255 10.241.151.0 0.0.0.255
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.217.100.0 0.0.0.255 10.241.150.0 0.0.0.255
    access-list 101 permit udp host 81.171.158.190 any eq non500-isakmp
    access-list 101 permit udp host 81.171.158.190 any eq isakmp
    access-list 101 permit esp host 81.171.158.190 any
    access-list 101 permit ahp host 81.171.158.190 any
    access-list 101 remark Auto generated by SDM for NTP (123) 192.93.2.20
    access-list 101 permit udp host 192.93.2.20 eq ntp any eq ntp
    access-list 101 permit udp host 80.80.80.1 eq domain any
    access-list 101 remark telnet routeur depuis Internet
    access-list 101 permit tcp any host 81.81.81.224 eq telnet
    access-list 101 remark ping routeur depuis Internet
    access-list 101 permit icmp any host 81.81.81.224
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit ip any any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 101 permit tcp any range 5900 5905 any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
    access-list 103 remark SDM_ACL Category=4
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.241.151.0 0.0.0.255 10.217.100.0 0.0.0.255
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address NAT-togodo
    !
    route-map SDM_RMAP_2 permit 1
    match ip address NAT-togodo
    !
    !
    control-plane
    !
    banner login ^CVous etes connecte au routeur company de Gentilly.
    Acces reserve au personnel autorise.
    ^C
    !
    line con 0
    login local
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    privilege level 15
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    ntp server 192.93.2.20 source Dialer0 prefer
    end

    ---

    and then on the 1721 side :

    ---
    !
    ! Last configuration change at 06:58:14 PCTime Tue Aug 30 2005 by aradmin
    ! NVRAM config last updated at 12:06:35 PCTime Mon Aug 29 2005 by aradmin
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname company-fr
    !
    logging queue-limit 100
    logging buffered 51200 warnings
    !
    username aradmin privilege 15 secret 5 $1$CZCt$0xqhM4wPDwcr2fEnbDQzm0
    username RaphaelVanney privilege 15 secret 5 $1$tZTu$p/oO90je8QmjtPpbQ4AU81
    username pppin password 0 password
    clock timezone PCTime 1
    clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
    aaa new-model
    !
    aaa user profile RaphaelVanney
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip domain name yourdomain.com
    ip name-server 80.80.80.1
    !
    !
    ip audit notify log
    ip audit po max-events 100
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    local name company-siege
    pptp tunnel echo 15
    pptp flow-control receive-window 5
    !
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp policy 2
    group 2
    !
    crypto isakmp policy 3
    authentication pre-share
    group 2
    crypto isakmp key 0 a1s2d3f4g5 address 81.81.81.224
    !
    crypto isakmp client configuration group togodo-pptp-clients
    dns 10.241.17.2 10.241.17.15
    wins 10.241.17.10
    pool SDM_POOL_1
    save-password
    !
    !
    crypto ipsec transform-set togodoTransformSet esp-des esp-md5-hmac
    crypto ipsec transform-set pptp-togodo esp-des esp-md5-hmac
    crypto ipsec transform-set UKTransformSet esp-des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel vers Gentilly
    set peer 81.81.81.224
    set security-association lifetime seconds 86400
    set transform-set togodoTransformSet
    set pfs group2
    match address 100
    reverse-route
    !
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.2 point-to-point
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface ATM1
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM1.1 point-to-point
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 2
    !
    !
    interface FastEthernet0
    description reseau local$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$
    ip address 10.241.16.2 255.255.240.0
    ip nat inside
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered Dialer2
    ip nat inside
    peer default ip address pool default
    ppp authentication ms-chap
    !
    interface Dialer1
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname debit
    ppp chap password 0 pbofsa123*
    !
    interface Dialer2
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 2
    dialer-group 2
    ppp authentication chap callin
    ppp chap hostname debit
    ppp chap password 0 pbofsa123*
    crypto map SDM_CMAP_1
    !
    ip local pool SDM_POOL_1 10.241.15.100 10.241.15.199
    ip local pool default 10.241.14.100 10.241.14.199
    ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer2
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    !
    !
    !
    ip access-list extended NAT-togodo
    remark SDM_ACL Category=2
    remark IPSec Rule
    deny ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
    deny ip any host 10.241.15.100
    deny ip any host 10.241.15.101
    deny ip any host 10.241.15.102
    deny ip any host 10.241.15.103
    deny ip any host 10.241.15.104
    deny ip any host 10.241.15.105
    deny ip any host 10.241.15.106
    deny ip any host 10.241.15.107
    deny ip any host 10.241.15.108
    deny ip any host 10.241.15.109
    deny ip any host 10.241.15.110
    deny ip any host 10.241.15.111
    deny ip any host 10.241.15.112
    deny ip any host 10.241.15.113
    deny ip any host 10.241.15.114
    deny ip any host 10.241.15.115
    deny ip any host 10.241.15.116
    deny ip any host 10.241.15.117
    deny ip any host 10.241.15.118
    deny ip any host 10.241.15.119
    deny ip any host 10.241.15.120
    deny ip any host 10.241.15.121
    deny ip any host 10.241.15.122
    deny ip any host 10.241.15.123
    deny ip any host 10.241.15.124
    deny ip any host 10.241.15.125
    deny ip any host 10.241.15.126
    deny ip any host 10.241.15.127
    deny ip any host 10.241.15.128
    deny ip any host 10.241.15.129
    deny ip any host 10.241.15.130
    deny ip any host 10.241.15.131
    deny ip any host 10.241.15.132
    deny ip any host 10.241.15.133
    deny ip any host 10.241.15.134
    deny ip any host 10.241.15.135
    deny ip any host 10.241.15.136
    deny ip any host 10.241.15.137
    deny ip any host 10.241.15.138
    deny ip any host 10.241.15.139
    deny ip any host 10.241.15.140
    deny ip any host 10.241.15.141
    deny ip any host 10.241.15.142
    deny ip any host 10.241.15.143
    deny ip any host 10.241.15.144
    deny ip any host 10.241.15.145
    deny ip any host 10.241.15.146
    deny ip any host 10.241.15.147
    deny ip any host 10.241.15.148
    deny ip any host 10.241.15.149
    deny ip any host 10.241.15.150
    deny ip any host 10.241.15.151
    deny ip any host 10.241.15.152
    deny ip any host 10.241.15.153
    deny ip any host 10.241.15.154
    deny ip any host 10.241.15.155
    deny ip any host 10.241.15.156
    deny ip any host 10.241.15.157
    deny ip any host 10.241.15.158
    deny ip any host 10.241.15.159
    deny ip any host 10.241.15.160
    deny ip any host 10.241.15.161
    deny ip any host 10.241.15.162
    deny ip any host 10.241.15.163
    deny ip any host 10.241.15.164
    deny ip any host 10.241.15.165
    deny ip any host 10.241.15.166
    deny ip any host 10.241.15.167
    deny ip any host 10.241.15.168
    deny ip any host 10.241.15.169
    deny ip any host 10.241.15.170
    deny ip any host 10.241.15.171
    deny ip any host 10.241.15.172
    deny ip any host 10.241.15.173
    deny ip any host 10.241.15.174
    deny ip any host 10.241.15.175
    deny ip any host 10.241.15.176
    deny ip any host 10.241.15.177
    deny ip any host 10.241.15.178
    deny ip any host 10.241.15.179
    deny ip any host 10.241.15.180
    deny ip any host 10.241.15.181
    deny ip any host 10.241.15.182
    deny ip any host 10.241.15.183
    deny ip any host 10.241.15.184
    deny ip any host 10.241.15.185
    deny ip any host 10.241.15.186
    deny ip any host 10.241.15.187
    deny ip any host 10.241.15.188
    deny ip any host 10.241.15.189
    deny ip any host 10.241.15.190
    deny ip any host 10.241.15.191
    deny ip any host 10.241.15.192
    deny ip any host 10.241.15.193
    deny ip any host 10.241.15.194
    deny ip any host 10.241.15.195
    deny ip any host 10.241.15.196
    deny ip any host 10.241.15.197
    deny ip any host 10.241.15.198
    deny ip any host 10.241.15.199
    deny ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
    permit ip 10.241.16.0 0.0.15.255 any
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=4
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
    access-list 103 remark SDM_ACL Category=4
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
    dialer-list 1 protocol ip permit
    dialer-list 2 protocol ip permit
    !
    route-map SDM_RMAP_1 permit 1
    match ip address NAT-togodo
    !
    radius-server authorization permit missing Service-Type
    banner login ^C
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    line aux 0
    line vty 0 4
    session-timeout 35791
    transport input telnet ssh
    line vty 5 15
    session-timeout 35791
    transport input telnet ssh
    !
    ntp clock-period 17179985
    ntp server 138.195.130.71 source Dialer2 prefer
    !
    end

    ---

    Thanks for any ideas,

    R.
    R, Aug 30, 2005
    #1
    1. Advertising

  2. R

    Guest

    R wrote:
    > Hello there. I am rather new at this, but I spent quite some time on it with
    > not much of a result so far. Here's the situation : I have setup a site to
    > site VPN between a Cisco 1721 and a Cisco 857. The tunnel comes up, and I
    > can do some things accross it, like :
    >
    > - from a machine in LAN A, I can ping the interface of the other router in
    > LAN B.
    > - I can do the opposite as well.
    > - but, when I ping a machine of LAN B from a machine of LAN A, only the
    > first packet comes back ! This is also true if I ping A from B. If I wait a
    > couple minutes, I can do it again, and with the same result : first packet
    > gets an answer, not the others!
    >
    > For those interested in the problem, here are sanitized configs :
    >

    [...]

    Your config files are too long to read thru :)

    Anyway, I think the problem is on the NAT set up. I think you can try
    by starting from simple configuration with the least access-list and no
    static NAT to make sure it work properly then you can add those extra
    access-lists and static NAT later.

    DT
    , Aug 31, 2005
    #2
    1. Advertising

  3. R

    R Guest

    Hello. Thanks for the tip, I'll give that a go. Sorry for the long configs,
    but I thought if I reduced them I might just as well remove the cause of the
    problem!

    R.

    <> a écrit dans le message de news:
    ...
    >R wrote:
    >> Hello there. I am rather new at this, but I spent quite some time on it
    >> with
    >> not much of a result so far. Here's the situation : I have setup a site
    >> to
    >> site VPN between a Cisco 1721 and a Cisco 857. The tunnel comes up, and I
    >> can do some things accross it, like :
    >>
    >> - from a machine in LAN A, I can ping the interface of the other router
    >> in
    >> LAN B.
    >> - I can do the opposite as well.
    >> - but, when I ping a machine of LAN B from a machine of LAN A, only the
    >> first packet comes back ! This is also true if I ping A from B. If I wait
    >> a
    >> couple minutes, I can do it again, and with the same result : first
    >> packet
    >> gets an answer, not the others!
    >>
    >> For those interested in the problem, here are sanitized configs :
    >>

    > [...]
    >
    > Your config files are too long to read thru :)
    >
    > Anyway, I think the problem is on the NAT set up. I think you can try
    > by starting from simple configuration with the least access-list and no
    > static NAT to make sure it work properly then you can add those extra
    > access-lists and static NAT later.
    >
    > DT
    >
    R, Sep 2, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ligiu Uiorean

    site to site vpn cisco 1721<->831

    Ligiu Uiorean, Nov 9, 2004, in forum: Cisco
    Replies:
    0
    Views:
    643
    Ligiu Uiorean
    Nov 9, 2004
  2. Scooter
    Replies:
    1
    Views:
    856
    BradReeseCom
    Feb 25, 2005
  3. Goldrake
    Replies:
    2
    Views:
    4,587
  4. Replies:
    2
    Views:
    458
    Goldrake
    Aug 28, 2006
  5. Mike Rahl
    Replies:
    1
    Views:
    605
Loading...

Share This Page