VPN three sites 1 not working right

Discussion in 'Cisco' started by mcdowell.alex@gmail.com, Feb 4, 2007.

  1. Guest

    Hi, I am having some trouble getting a new router to work with my
    already established VPN. I have two 831s that are connected and
    working running 12.2. The newest router is a 871w and has newer IOS
    version 12.3. (are the version differences a problem?) Currently I can
    ping any of the routers from the new 871, but cannot ping inside the
    networks. Also I can ping the new router from the others but cannot
    ping a machine inside the network. Here are my configs--> Main office
    router first(10.10.1.1 internal network 10.10.0.x), then the other
    831(10.20.1.1 internal 10.20.0.x) then the new 871w(10.30.1.1 internal
    10.30.0.x). Thanks for any help it is very much appreciated.

    ROUTER 1 ROUTER 1

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Hxxxx
    !
    enable secret 5 $
    enable password 7 0
    !
    username CRWS
    aaa new-model
    !
    !
    aaa authentication login Local local
    aaa authorization network default local
    aaa session-id common
    ip subnet-zero
    ip name-server x.x.x.x
    ip name-server x.x.x.x
    ip dhcp excluded-address 10.10.1.1
    ip dhcp excluded-address 10.10.1.100
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.10.0.1 10.10.0.30
    !
    ip dhcp pool CLIENT
    network 10.10.0.0 255.255.0.0
    default-router 10.10.1.1
    dns-server x.x.x.x x.x.x.x
    lease 0 2
    !
    ip audit notify log
    ip audit po max-events 100
    !
    crypto isakmp policy 7
    hash md5
    authentication pre-share
    !
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key xxxx address ROUTER 2 IP no-xauth
    crypto isakmp key xxxx address ROUTER 3 IP no-xauth
    !
    crypto isakmp client configuration group VPNCLient
    key
    domain
    pool VPN-pool
    acl 103
    !
    !
    crypto ipsec transform-set dun esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynamic 20
    set transform-set dun
    !
    !
    crypto map vpn local-address Ethernet1
    crypto map vpn client authentication list Local
    crypto map vpn isakmp authorization list local
    crypto map vpn client configuration address initiate
    crypto map vpn client configuration address respond
    crypto map vpn 10 ipsec-isakmp
    set peer ROUTER 2 IP
    set transform-set dun
    match address 101
    crypto map vpn 12 ipsec-isakmp
    set peer ROUTER 3 IP
    set transform-set dun
    match address 104
    crypto map vpn 20 ipsec-isakmp dynamic dynamic
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete this:
    10.10.1.1-255.255.0.0
    ip address 10.10.1.1 255.255.0.0
    ip nat inside
    no ip mroute-cache
    no cdp enable
    hold-queue 32 in
    hold-queue 100 out
    !
    interface Ethernet1
    ip address x.x.x.x 255.255.255.0
    ip nat outside
    no ip mroute-cache
    no cdp enable
    crypto map vpn
    !
    ip local pool VPN-pool 192.168.250.1 192.168.250.254
    ip nat inside source list 102 interface Ethernet1 overload
    ip nat inside source route-map nonat interface Ethernet1 overload
    ip nat inside source static tcp 10.10.10.1 10000 interface Ethernet1
    10000
    ip nat inside source static tcp 10.10.10.1 22 interface Ethernet1 22
    ip nat inside source static tcp 10.10.0.5 69 interface Ethernet1 69
    ip classless
    ip route 0.0.0.0 0.0.0.0 x.x.x.1
    ip http server
    !
    !
    access-list 101 permit ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
    access-list 101 deny ip 10.10.0.0 0.0.255.255 any
    access-list 102 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
    access-list 102 deny ip 10.10.0.0 0.0.255.255 192.168.250.0
    0.0.0.255
    access-list 102 permit ip 10.10.0.0 0.0.255.255 any
    access-list 102 deny ip 10.10.0.0 0.0.255.255 10.30.0.0 0.0.255.255
    access-list 103 permit ip 10.10.0.0 0.0.255.255 any
    access-list 104 permit ip 10.10.0.0 0.0.255.255 10.30.0.0 0.0.255.255
    access-list 104 deny ip 10.10.0.0 0.0.255.255 any
    no cdp run
    route-map nonat permit 10
    match ip address 102
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    password 7 0205165E01165F7218
    length 0
    !
    scheduler max-task-time 5000
    end

    --------------------------------------------------------------------------------------------------------------

    ROUTER 2 ROUTER 2

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Dxxxxxx
    !
    enable secret 5
    enable password 7
    !
    username admin
    ip subnet-zero
    ip name-server 151.201.0.39
    ip name-server 151.197.0.39
    ip dhcp excluded-address 10.20.1.1
    ip dhcp excluded-address 10.20.10.1
    !
    ip dhcp pool CLIENT
    network 10.20.0.0 255.255.0.0
    default-router 10.20.1.1
    dns-server x.x.x.x x.x.x.x
    lease 0 2
    !
    ip audit notify log
    ip audit po max-events 100
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key xxxx address ROUTER 1 IP no-xauth
    crypto isakmp key xxxx address ROUTER 2 IP no-xauth
    !
    !
    crypto ipsec transform-set huntesp-3des esp-md5-hmac
    !
    crypto map vpn 10 ipsec-isakmp
    set peer ROUTER 1 IP
    set transform-set hunt
    match address 101
    crypto map vpn 12 ipsec-isakmp
    set peer ROUTER 3 IP
    set transform-set hunt
    match address 104
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete this:
    10.20.1.1-255.255.0.0
    ip address 10.20.1.1 255.255.0.0
    ip nat inside
    no ip mroute-cache
    no cdp enable
    hold-queue 32 in
    hold-queue 100 out
    !
    interface Ethernet1
    ip address x.x.x.x 255.255.255.0
    ip nat outside
    no ip mroute-cache
    no cdp enable
    crypto map vpn
    !
    ip nat inside source list 102 interface Ethernet1 overload
    ip nat inside source static tcp 10.20.10.1 22 interface Ethernet1 22
    ip nat inside source static tcp 10.20.10.1 10000 interface Ethernet1
    10000
    ip classless
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    ip http server
    !
    !
    access-list 101 permit ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 101 deny ip 10.20.0.0 0.0.255.255 any
    access-list 102 deny ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 102 permit ip 10.20.0.0 0.0.255.255 any
    access-list 104 permit ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255
    access-list 104 deny ip 10.20.0.0 0.0.255.255 any
    no cdp run
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    end
    -----------------------------------------------------------------------------------------------------------

    NEW ROUTER 3 ROUTER 3

    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Lxxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    no logging console
    enable secret 5 $
    !
    username
    clock timezone PCTime 0
    clock summer-time PCTime
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip cef
    ip dhcp excluded-address 10.30.0.1
    ip dhcp excluded-address 10.30.0.255 10.30.255.254
    !
    ip dhcp pool sdm-pool1
    import all
    network 10.30.0.0 255.255.0.0
    dns-server x.x.x.x x.x.x.x
    default-router 10.30.1.1
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip name-server x.x.x.x
    ip name-server x.x.x.x
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key xxxx address ROUTER1 IP no-xauth
    crypto isakmp key xxxx address ROUTER2 IP no-xauth
    !
    !
    crypto ipsec transform-set hunt esp-3des esp-md5-hmac
    !
    crypto map vpn 10 ipsec-isakmp
    set peer ROUTER 1 IP
    set transform-set hunt
    match address 101
    crypto map vpn 12 ipsec-isakmp
    set peer ROUTER 2 IP
    set transform-set hunt
    match address 103
    !
    bridge irb
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address ROUTER 3 IP 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    crypto map vpn
    !
    interface Dot11Radio0
    no ip address
    !
    encryption key 1 size 128bit 7 4F2977474B5120126661798B3953 transmit-
    key
    encryption mode wep mandatory
    !
    ssid bmzltown
    authentication open
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    36.0 48.0 54.0
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    bridge-group 1
    !
    interface BVI1
    description $ES_LAN$
    ip address 10.30.1.1 255.255.0.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source route-map nonat interface FastEthernet4 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.30.0.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=2
    access-list 100 deny ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 100 permit ip 10.30.0.0 0.0.0.255 any
    access-list 101 permit ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 101 deny ip 10.30.0.0 0.0.255.255 any
    access-list 102 deny ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 102 permit ip 10.30.0.0 0.0.255.255 any
    access-list 103 permit ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    access-list 103 deny ip 10.30.0.0 0.0.255.255 any
    no cdp run
    route-map nonat permit 10
    match ip address 100
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    login local
    transport preferred all
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
    , Feb 4, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?RHJhZ29ueA==?=

    wifi not working on new hp, or not working after live update

    =?Utf-8?B?RHJhZ29ueA==?=, Oct 2, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    915
    =?Utf-8?B?RHJhZ29ueA==?=
    Oct 2, 2005
  2. Marko Uusitalo
    Replies:
    1
    Views:
    1,488
    Frank Durham
    Apr 11, 2005
  3. Evolution
    Replies:
    0
    Views:
    378
    Evolution
    Dec 15, 2005
  4. dnash
    Replies:
    0
    Views:
    531
    dnash
    Jan 2, 2008
  5. Harry Stottle
    Replies:
    0
    Views:
    968
    Harry Stottle
    Jan 5, 2010
Loading...

Share This Page