Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING!

Discussion in 'Cisco' started by Suppa Lamah, Dec 18, 2003.

  1. Suppa Lamah

    Suppa Lamah Guest

    I successfully (at least I thought so) created an IPSec connection between
    two 12.2 IOS Cisco 837-K9.

    I followed step-by-step several Cisco documents and FAQ, and I had, after
    several tries, the IsaKmp SAs up and running, and the traffic correctly
    routed via NAT or thrown in the VPN tunnel.

    My PC clients on the separate, private networks (192.168.0.0 and
    192.168.1.0) are able to both navigate the Internet via NAT, and ping the
    hosts on the other side of the VPN connection. I also checked for known MTUs
    problems, and I can use 15.000 bytes ICMP packets going in and out without
    losing any.

    What I cannot do is... anything else! :)

    I sees any connection requesting more than a given, short amout of resources
    (cannot tell if a number of open ports is the issue, or, much more probable,
    some timeout on TCP connections) just fails.

    Example: I can successfully map a "NET USE LPT2: \\192.168.0.10\QUEUE1"
    printer on the other side of the connection, AND print a very short, DOS
    document (example: "dir > test.txt", followed by "copy test.txt lpt2:"). If
    I try to print a Windows document via Wordpad it fails ("the network name
    cannot be found" and such, like the connection was dropped in the middle of
    the operation).

    I can successfully map a drive "NET USE K: \\192.168.0.10\HARDDISK", but a
    "DIR K:\" command results in only the volume label being shown, after that
    couple lines... no more communications take place.

    I also verified that using a remote control software such as VNC
    (http://www.realvnc.com) I can successfully open the remote screen AND MOVE
    THE MOUSE (this is told to me from a person being on the other side),
    although I am unable to see anything because I have a black screen, and the
    session fails soon...

    I tried anything I could think of... I downloaded and checked several
    documents with VPN examples, but to no avail.

    I also removed, to be very, very sure about it, ALL access lists on the
    external interfaces on both sides (then verified by using an external port
    scanner which confirmed all ports were open).

    Does anybody experienced anything similare and could help? Thanks in
    advance...


    Suppa Lamah
     
    Suppa Lamah, Dec 18, 2003
    #1
    1. Advertisements

  2. Suppa Lamah

    Rik Bain Guest


    Sounds like an MTU issue. Lower the MTU on one of your workstations and
    test the same activities that you mentioned above.
     
    Rik Bain, Dec 18, 2003
    #2
    1. Advertisements

  3. With or without the -f parameter? To test MTU you need to use this
    parameter.

    Richard.
     
    Richard Antony Burton, Dec 18, 2003
    #3
  4. Suppa Lamah

    Graeme Guest

    With very little CISCO knowledge I managed to set up [ipsec VPN tunnels
    between a couple of 837's using SDM

    the hard bit [for me] was upgrading the IOS i bought both routers around the
    same time but one had a older image and didn't support SDM. copied image
    from new router to older router and everytihing works fine.

    Image name: c837-k9o3sy6-mz.122-13.ZH.bin

    Ignore this comment if it's completely irrelevent, i don't even know what an
    MTU is :eek:)

    I can let you have configs if that helps?

    Regards,

    G.
     
    Graeme, Dec 18, 2003
    #4
  5. Suppa Lamah

    TEM Guest

    I had a similar problem with a 837 to 804 VPN. The examples that I followed
    did not include a loopback address on the responding router to bypass the
    NAT translation. If you are also using NAT for internet traffic, you have to
    use a loopback interface with a "fake" ip and a route map to route
    interesting traffic away from the NAT. I found an example on cisco.com
     
    TEM, Dec 18, 2003
    #5
  6. Suppa Lamah

    Suppa Lamah Guest

    How could I be so silly, no, I didn't use the -f parameter.

    But, suspecting MTUs issues, I read and applied blindly several known tips
    about MTUs:

    - ip tcp adjust-mss 1452 ---> eth0
    - ip MTU 1492 ---> atm0 / atm0.1 (on point-to-point connections)
    - ip tcp adjust-mss 1452 ---> dialer1 (on pppoe connections)

    I will re-issue the ping test, anyway, thanks for your input.

    Suppa Lamah
     
    Suppa Lamah, Dec 18, 2003
    #6
  7. Suppa Lamah

    Suppa Lamah Guest

    Being a Cisco newbye, I initially set up my 837 boxes with SDM, but giving
    that I didn't understand much of what was produced (and neither it worked as
    I desired) I decided to catch che opportunity to learn more... so I
    basically studied for several weeks in my spare time to be able to learn the
    basics of Cisco IOSs... and to configure this 837 manually.

    Now with my new experiences I understand I could just use SDM, like you did,
    and given the VPN thing works fine I can dump it and analyze it
    line-by-line. It will be a lenghty process, but could eventually solve the
    issue.

    Suppa Lamah
     
    Suppa Lamah, Dec 19, 2003
    #7
  8. Suppa Lamah

    Suppa Lamah Guest

    Tem, this could be the real thing. I didn't use a loopback either, although
    I saw it used in Cisco router configurations regarding the same ISP's ADSL
    connections, because I could not fully understand its mechanics, so I
    decided to stick with the little knowledge I had and to configure my ADSL
    with just an ATM0.1 sub-interface.

    Could you please retrieve the example you cited and send me some references?
    Thanks in advance.

    Suppa Lamah
     
    Suppa Lamah, Dec 19, 2003
    #8
  9. Suppa Lamah

    TEM Guest

    I think the following will cover it.

    int loopback1

    ip address 172.16.1.1 255.255.255.0



    int e0

    ip policy route-map nonat



    route-map nonat permit 10

    match ip address 120

    set ip next-hop 172.16.1.2



    access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255



    ip nat inside source list 102 interface e0



    access-list 102 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

    access-list 102 permit ip 192.168.1.0 0.0.0.255 any





    where the responding LAN is the 192 address and the 10 address is the
    initiating address.



    The idea is to block VPN traffic from the outbound interface (and NAT) and
    route it to the loopback. The VPN traffic goes to the loopback, comes back
    out to the outbound interface and is not recognized as needing NAT.



    I'm sure this is not the most graceful way to do it but it worked for me.
     
    TEM, Dec 19, 2003
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.