Questions

Site to Site VPN 2 851W ?

Tags:
+
0 Votes
Locked

Site to Site VPN 2 851W ?

CiscoGal
Hello All



I need a some extra eyes on an issue I am working on.



My setup is two 851w routers in two different locations.



Router A is the main router which Router B tunnels into connect to the location.

Router A has a static IP address and Router B has a dynamic



I am coming in new on the project so I did not setup this router and I am slightly confused. The tunnel is working however, the sites are not able to share files. Router B would like to be able to see all files on Router A and share printers etc...



Could someone look over this config for another set of eyes. I am thinking there are issues with how the VPN is setup, IP addressing scheme and NAT.



Any help greatly appreciated.



Router A Config




Using 3695 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXX
enable password 7 XXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.250 10.0.0.254
!
ip dhcp pool Internal-net
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
domain-name XXXXXXXXXX
dns-server 199.X.X.X 199.X.X.X
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name XXXXXXXXXX
!
!
!
!
!
username XXXXX privilege 15 password 7 XXXXXXXXXX
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile vpnprof
set transform-set 3DES-SHA
!
!
bridge irb
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1350
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp cache non-authoritative
ip tcp adjust-mss 1350
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address 68.X.X.X 255.255.255.0
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid XXXXXXX
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 XXXXXXXXXXXXXXX
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip mtu 1350
ip virtual-reassembly
ip tcp adjust-mss 1375
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 68.X.X.X
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit udp any any eq isakmp
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 XXXXXXXXXXX
no modem enable
line aux 0
line vty 0 4
password 7 XXXXXXXXXXX
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
end





Router B Config




Using 3695 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXX
enable password 7 XXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-net
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name XXXXXXXXXX
dns-server 199.X.X.X 199.X.X.X
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name XXXXXXXXXX
!

vpdn enable

!
!
!
!
username XXXXX privilege 15 password 7 XXXXXXXXXX
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile vpnprof
set transform-set 3DES-SHA
!
!
bridge irb
!
!
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip mtu 1350
ip nhrp authentication donttell
ip nhrp map multicast 68.X.X.X

ip nhrp map 10.10.10.1 68.X.X.X
ip nhrp network-id 99
ip nhrp holdtime 300

ip nhrp nhs 10.10.10.1
ip nhrp cache non-authoritative
ip tcp adjust-mss 1350
delay 1000
tunnel source Dialer0

tunnel destination 68.X.X.X
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4

description $ES_WAN$

no ip address
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto

pppoe enable group global

pppoe-client dial-pool-number 1
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid XXXXXXX
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 XXXXXXXXXXXXXXX
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip mtu 1350
ip virtual-reassembly
ip tcp adjust-mss 1375
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly

ip tcp adjust-mss 1452

!
router rip
version 2
network 10.0.0.0

network 192.168.2.0
!

ip default-gateway 10.10.10.2

ip route 0.0.0.0 0.0.0.0 68.X.X.X
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Catergory=16

permit udp any eq bootps any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit udp any any eq isakmp
!
access-list 1 permit 192.168.2.0 0.0.0.255

dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 XXXXXXXXXXX
no modem enable
line aux 0
line vty 0 4
password 7 XXXXXXXXXXX
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
end
  • +
    0 Votes
    NetMan1958

    a computer on Router A's LAN (10.0.0.x) from a computer on Router B's LAN using the IP Address?
    i.e. "ping 10.0.0.100"

    +
    0 Votes
    CiscoGal

    thank you for the reply I am able to ping but I cannot get the sharing to work on the remote site.

    +
    0 Votes
    NetMan1958

    It's your NAT config in that you are applying NAT to the tunnel traffic. Change your access-list to an extended access-list like so:
    For Router A
    access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    ip nat inside source list 101 interface FastEthernet4 overload

    For Router B
    access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    ip nat inside source list 101 interface interface Dialer0 overload

    +
    0 Votes
    NetMan1958

    Actually, scratch that idea. Now that I think about it the tunnel interface isn't configured with "ip nat outside" so NAT shouldn't apply anyway. How are you trying to access the shared files, by a mapped drive maybe? If so, are you using the IP Address or the computer name?

    +
    0 Votes
    CiscoGal

    I figured it out ... client did not tell me he was running a domain the other host are in a workgroup

    +
    0 Votes
    CiscoGal

    thank you i tried this and now im unable to ping out to the tunnel network

    +
    0 Votes
    NetMan1958

    See my reply to my own post about the NAT and I added another question.

    +
    0 Votes

    ok

    CiscoGal

    thanks I am using the IP address I am able to ping now so I think the access list helped however, I cannot see the other side of the tunnel in the workgroups
    I can ping them but if I go to 192.168.2.100 from cmd nothing comes up for me
    In the workgroup I can only see the host within the 10.0.0.0 but I can ping 192.168

    +
    0 Votes
    NetMan1958

    It's your NAT config in that you are applying NAT to the tunnel traffic. Change your access-list to an extended access-list like so:
    For Router A
    access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    ip nat inside source list 101 interface FastEthernet4 overload

    For Router B
    access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    ip nat inside source list 101 interface interface Dialer0 overload

    +
    0 Votes
    CiscoGal

    thank you i tried this and now im unable to ping out to the tunnel network

    +
    0 Votes

    ok

    CiscoGal

    thanks I am using the IP address I am able to ping now so I think the access list helped however, I cannot see the other side of the tunnel in the workgroups
    I can ping them but if I go to 192.168.2.100 from cmd nothing comes up for me
    In the workgroup I can only see the host within the 10.0.0.0 but I can ping 192.168

  • +
    0 Votes
    NetMan1958

    a computer on Router A's LAN (10.0.0.x) from a computer on Router B's LAN using the IP Address?
    i.e. "ping 10.0.0.100"

    +
    0 Votes
    CiscoGal

    thank you for the reply I am able to ping but I cannot get the sharing to work on the remote site.

    +
    0 Votes
    NetMan1958

    It's your NAT config in that you are applying NAT to the tunnel traffic. Change your access-list to an extended access-list like so:
    For Router A
    access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    ip nat inside source list 101 interface FastEthernet4 overload

    For Router B
    access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    ip nat inside source list 101 interface interface Dialer0 overload

    +
    0 Votes
    NetMan1958

    Actually, scratch that idea. Now that I think about it the tunnel interface isn't configured with "ip nat outside" so NAT shouldn't apply anyway. How are you trying to access the shared files, by a mapped drive maybe? If so, are you using the IP Address or the computer name?

    +
    0 Votes
    CiscoGal

    I figured it out ... client did not tell me he was running a domain the other host are in a workgroup

    +
    0 Votes
    CiscoGal

    thank you i tried this and now im unable to ping out to the tunnel network

    +
    0 Votes
    NetMan1958

    See my reply to my own post about the NAT and I added another question.

    +
    0 Votes

    ok

    CiscoGal

    thanks I am using the IP address I am able to ping now so I think the access list helped however, I cannot see the other side of the tunnel in the workgroups
    I can ping them but if I go to 192.168.2.100 from cmd nothing comes up for me
    In the workgroup I can only see the host within the 10.0.0.0 but I can ping 192.168

    +
    0 Votes
    NetMan1958

    It's your NAT config in that you are applying NAT to the tunnel traffic. Change your access-list to an extended access-list like so:
    For Router A
    access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    ip nat inside source list 101 interface FastEthernet4 overload

    For Router B
    access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    ip nat inside source list 101 interface interface Dialer0 overload

    +
    0 Votes
    CiscoGal

    thank you i tried this and now im unable to ping out to the tunnel network

    +
    0 Votes

    ok

    CiscoGal

    thanks I am using the IP address I am able to ping now so I think the access list helped however, I cannot see the other side of the tunnel in the workgroups
    I can ping them but if I go to 192.168.2.100 from cmd nothing comes up for me
    In the workgroup I can only see the host within the 10.0.0.0 but I can ping 192.168