VPN Traffic going to all cliets but not to server on one end

Discussion in 'Cisco' started by Walters, May 29, 2006.

  1. Walters

    Walters Guest

    I have been working with these two 1800 series routers trying to set up
    a DMVPN and i am having troubles with only one end. The spoke end has a
    server in it that i have nat entries for. It is our email server and
    web server. its address is 10.0.0.20. When the Tunnel comes up it loads
    all the OSPF routing tables and clients can ping between each other on
    both ends but when a client from the "LC-BOTH-R1" side trys to access
    the server on "LC-FLOR-R1" side it timesout. When pinging from the
    router "LC-BOTH-R1" it will talk to 10.0.0.20 but this is the only case
    for remote connectivity.

    Please Help! I am posting the full configs below

    Thanks,

    Adam Walters


    ******** Hub Router *****************************************
    Current configuration : 3132 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname LC-BOTH-R1
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password 7 XXXXXXXXXXXXX
    !
    aaa new-model
    !
    !
    !
    aaa session-id common
    !
    resource policy
    !
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip inspect name in2out rcmd
    ip inspect name in2out ftp
    ip inspect name in2out tftp
    ip inspect name in2out tcp timeout 43200
    ip inspect name in2out http
    ip inspect name in2out udp
    ip inspect name in2out icmp
    !
    !
    !
    username XXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXX
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXXXXX address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto ipsec profile SDM_Profile1
    set transform-set ESP-3DES-SHA
    !
    !
    !
    !
    !
    interface Tunnel0
    description VPN
    bandwidth 1000
    ip address 10.99.99.1 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip nhrp authentication DMVPN_NW
    ip nhrp map multicast dynamic
    ip nhrp network-id 100000
    ip nhrp holdtime 360
    no ip route-cache cef
    no ip route-cache
    ip ospf network broadcast
    ip ospf priority 2
    delay 1000
    tunnel source FastEthernet0
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile SDM_Profile1
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.0
    ip access-group 100 in
    ip nat outside
    ip inspect in2out out
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
    description LAN
    ip address 10.0.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Async1
    no ip address
    encapsulation slip
    !
    router ospf 1
    log-adjacency-changes
    network 1.1.1.0 0.0.0.255 area 0
    network 10.0.1.0 0.0.0.255 area 0
    network 10.99.99.0 0.0.0.255 area 0
    !
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
    !
    !
    ip http server
    no ip http secure-server
    ip nat inside source static tcp 10.0.1.1 23 interface FastEthernet0 23
    ip nat inside source route-map nonat interface FastEthernet0 overload
    ip nat inside source static tcp 10.0.1.21 3389 interface FastEthernet0
    3389
    !
    access-list 100 permit udp any host XXX.XXX.XXX.XXX eq isakmp
    access-list 100 permit esp any host XXX.XXX.XXX.XXX
    access-list 100 permit gre any host XXX.XXX.XXX.XXX
    access-list 100 deny ip any any
    access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 110 permit ip 10.0.1.0 0.0.0.255 any
    !
    !
    !
    route-map nonat permit 10
    match ip address 110
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    logging synchronous
    line 1
    modem InOut
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    line vty 0 4
    password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
    !
    !
    webvpn context Default_context
    ssl authenticate verify all
    !
    no inservice
    !
    end



    ************************ Spoke Router
    ***********************************
    Current configuration : 4210 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname LC-FLOR-R1
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXx
    !
    aaa new-model
    !
    !
    !
    aaa session-id common
    !
    resource policy
    !
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip inspect name in2out rcmd
    ip inspect name in2out ftp
    ip inspect name in2out tftp
    ip inspect name in2out tcp timeout 43200
    ip inspect name in2out http
    ip inspect name in2out udp
    ip inspect name in2out icmp
    !
    !
    !
    username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXX
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto ipsec profile SDM_Profile1
    set transform-set ESP-3DES-SHA
    !
    !
    !
    !
    !
    interface Tunnel0
    description VPN
    bandwidth 1000
    ip address 10.99.99.2 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip nhrp authentication DMVPN_NW
    ip nhrp map multicast dynamic
    ip nhrp map 10.99.99.1 XXX.XXX.XXX.XXX
    ip nhrp map multicast XXX.XXX.XXX.XXX
    ip nhrp network-id 100000
    ip nhrp holdtime 360
    ip nhrp nhs 10.99.99.1
    ip ospf network broadcast
    ip ospf priority 0
    delay 1000
    tunnel source FastEthernet0
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile SDM_Profile1
    !
    interface Loopback0
    ip address 2.2.2.2 255.255.255.0
    !
    interface FastEthernet0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.0
    ip access-group 100 in
    ip nat outside
    ip inspect in2out out
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
    description LAN
    ip address 10.0.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Async1
    no ip address
    encapsulation slip
    !
    router ospf 1
    log-adjacency-changes
    redistribute connected
    network 2.2.2.0 0.0.0.255 area 0
    network 10.0.0.0 0.0.0.255 area 0
    network 10.99.99.0 0.0.0.255 area 0
    !
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
    !
    !
    ip http server
    no ip http secure-server
    ip nat inside source static tcp 10.0.0.20 3389 interface FastEthernet0
    3389
    ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80
    ip nat inside source static tcp 10.0.0.20 25 interface FastEthernet0 25
    ip nat inside source route-map nonat interface FastEthernet0 overload
    !
    !
    access-list 100 permit udp any host XXX.XXX.XXX.XXX eq isakmp
    access-list 100 permit esp any host XXX.XXX.XXX.XXX
    access-list 100 permit gre any host XXX.XXX.XXX.XXX
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 permit tcp host XXX.XXX.XXX.XXX any eq smtp
    access-list 100 deny tcp any any eq smtp
    access-list 100 permit tcp any any
    access-list 100 permit ip any any
    access-list 100 permit udp any any
    access-list 100 deny ip any any
    access-list 110 permit ip 10.0.0.0 0.0.0.255 any
    !
    !
    !
    route-map nonat permit 10
    match ip address 110
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    logging synchronous
    line 1
    modem InOut
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    line vty 0 4
    password 7 XXXXXXXXXXXXXXXXXXX
    transport input telnet
    !
    !
    webvpn context Default_context
    ssl authenticate verify all
    !
    no inservice
    !
    end
     
    Walters, May 29, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.