Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING!

I successfully (at least I thought so) created an IPSec connection between
two 12.2 IOS Cisco 837-K9.

I followed step-by-step several Cisco documents and FAQ, and I had, after
several tries, the IsaKmp SAs up and running, and the traffic correctly
routed via NAT or thrown in the VPN tunnel.

My PC clients on the separate, private networks (192.168.0.0 and
192.168.1.0) are able to both navigate the Internet via NAT, and ping the
hosts on the other side of the VPN connection. I also checked for known MTUs
problems, and I can use 15.000 bytes ICMP packets going in and out without
losing any.

What I cannot do is... anything else!

I sees any connection requesting more than a given, short amout of resources
(cannot tell if a number of open ports is the issue, or, much more probable,
some timeout on TCP connections) just fails.

Example: I can successfully map a "NET USE LPT2: \\192.168.0.10\QUEUE1"
printer on the other side of the connection, AND print a very short, DOS
document (example: "dir > test.txt", followed by "copy test.txt lpt2:"). If
I try to print a Windows document via Wordpad it fails ("the network name
cannot be found" and such, like the connection was dropped in the middle of
the operation).

I can successfully map a drive "NET USE K: \\192.168.0.10\HARDDISK", but a
"DIR K:\" command results in only the volume label being shown, after that
couple lines... no more communications take place.

I also verified that using a remote control software such as VNC
(http://www.realvnc.com) I can successfully open the remote screen AND MOVE
THE MOUSE (this is told to me from a person being on the other side),
although I am unable to see anything because I have a black screen, and the
session fails soon...

I tried anything I could think of... I downloaded and checked several
documents with VPN examples, but to no avail.

I also removed, to be very, very sure about it, ALL access lists on the
external interfaces on both sides (then verified by using an external port
scanner which confirmed all ports were open).

Does anybody experienced anything similare and could help? Thanks in
advance...


Suppa Lamah

 

Sounds like an MTU issue. Lower the MTU on one of your workstations and
test the same activities that you mentioned above.

 

With or without the -f parameter? To test MTU you need to use this
parameter.

Richard.

 

With very little CISCO knowledge I managed to set up [ipsec VPN tunnels
between a couple of 837's using SDM

the hard bit [for me] was upgrading the IOS i bought both routers around the
same time but one had a older image and didn't support SDM. copied image
from new router to older router and everytihing works fine.

Image name: c837-k9o3sy6-mz.122-13.ZH.bin

Ignore this comment if it's completely irrelevent, i don't even know what an
MTU is )

I can let you have configs if that helps?

Regards,

G.

 

I had a similar problem with a 837 to 804 VPN. The examples that I followed
did not include a loopback address on the responding router to bypass the
NAT translation. If you are also using NAT for internet traffic, you have to
use a loopback interface with a "fake" ip and a route map to route
interesting traffic away from the NAT. I found an example on cisco.com

 

How could I be so silly, no, I didn't use the -f parameter.

But, suspecting MTUs issues, I read and applied blindly several known tips
about MTUs:

- ip tcp adjust-mss 1452 ---> eth0
- ip MTU 1492 ---> atm0 / atm0.1 (on point-to-point connections)
- ip tcp adjust-mss 1452 ---> dialer1 (on pppoe connections)

I will re-issue the ping test, anyway, thanks for your input.

Suppa Lamah

 

Being a Cisco newbye, I initially set up my 837 boxes with SDM, but giving
that I didn't understand much of what was produced (and neither it worked as
I desired) I decided to catch che opportunity to learn more... so I
basically studied for several weeks in my spare time to be able to learn the
basics of Cisco IOSs... and to configure this 837 manually.

Now with my new experiences I understand I could just use SDM, like you did,
and given the VPN thing works fine I can dump it and analyze it
line-by-line. It will be a lenghty process, but could eventually solve the
issue.

Suppa Lamah

 

Tem, this could be the real thing. I didn't use a loopback either, although
I saw it used in Cisco router configurations regarding the same ISP's ADSL
connections, because I could not fully understand its mechanics, so I
decided to stick with the little knowledge I had and to configure my ADSL
with just an ATM0.1 sub-interface.

Could you please retrieve the example you cited and send me some references?
Thanks in advance.

Suppa Lamah

 

I think the following will cover it.

int loopback1

ip address 172.16.1.1 255.255.255.0



int e0

ip policy route-map nonat



route-map nonat permit 10

match ip address 120

set ip next-hop 172.16.1.2



access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255



ip nat inside source list 102 interface e0



access-list 102 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any





where the responding LAN is the 192 address and the 10 address is the
initiating address.



The idea is to block VPN traffic from the outbound interface (and NAT) and
route it to the loopback. The VPN traffic goes to the loopback, comes back
out to the outbound interface and is not recognized as needing NAT.



I'm sure this is not the most graceful way to do it but it worked for me.