Hi to all... I have setup a vpn between to sites. The vpn is up, clients from both parts will ping each other, but each router cannot ping hosts on the other side (neither the other router). Tracert show a missing hop, and no application are working between the VPN. What can be? Thanks!
The crystal ball seems to be broke right now, mayber posting some of the config would help?
Thanks for the attention... I have tryied 3 times with long posts, with detailed description, and no one has helped me... So i have tought that long posts = too long to read. So i have made a 'restriction', waiting someone...
This is the config of the router at the brach office: !This is the running config of the router: xxxx !---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxx ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxx ! no aaa new-model ! resource policy ! clock timezone xxx 1 clock summer-time xxx date Mar 30 2003 2:00 Oct 26 2003 3:00 clock calendar-valid no ip source-route ! ! ip cef no ip dhcp use vrf connected ! ip dhcp pool Magazzino import all network 192.168.201.0 255.255.255.0 dns-server 192.168.201.200 netbios-name-server 192.168.200.1 default-router 192.168.201.220 ! ip dhcp pool PCROBERT host 192.168.201.1 255.255.255.0 client-identifier 0100.18f3.639a.cf dns-server 192.168.201.200 netbios-name-server 192.168.200.1 client-name PCROBERTOMAGA ! ! ip tcp synwait-time 10 no ip bootp server ip domain name ruscallarenato.it ip name-server 151.99.125.2 ip name-server 151.99.0.100 ip name-server 192.168.200.1 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ! ! crypto pki trustpoint TP-self-signed-1097497397 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1097497397 revocation-check none rsakeypair TP-self-signed-1097497397 ! ! crypto pki certificate chain TP-self-signed-1097497397 certificate self-signed 01 useless quit username xxx privilege 15 secret 5 xxxx ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxx address yy.yy.yy.yy ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to yy.yy.yy.yy set peer yy.yy.yy.yy set transform-set ESP-3DES-SHA match address 100 ! bridge irb ! ! ! interface FastEthernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow shutdown duplex auto speed auto ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation hdlc ip route-cache flow shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface Dot11Radio0 no ip address ! encryption key 1 size 40bit 7 xyz transmit-key encryption mode wep mandatory ! ssid CISCO authentication open ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address shutdown ! encryption key 1 size 40bit 7 8522D5CAB7D5 transmit-key encryption mode wep mandatory ! ssid CISCO authentication open ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 spanning-disabled ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode itu-dmt ! interface ATM0.1 point-to-point ip address xx.xx.xx.xx 255.255.255.224 ip access-group 101 in ip nat outside ip virtual-reassembly no snmp trap link-status pvc 8/35 encapsulation aal5snap ! crypto map SDM_CMAP_1 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$ no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.201.200 255.255.255.0 ip access-group 110 in ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 ATM0.1 ! ip dns server ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload ! logging trap debugging access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip host yy.yy.yy.yyy any access-list 101 permit icmp host yy.yy.yyy.yyy any access-list 101 permit icmp any any echo-reply access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.233 access-list 101 permit udp host 193.204.114.233 eq ntp any eq ntp access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.232 access-list 101 permit udp host 193.204.114.232 eq ntp any eq ntp access-list 101 permit tcp any 192.168.201.0 0.0.0.255 established access-list 101 permit udp any any gt 1023 access-list 101 permit udp any any eq domain access-list 101 permit tcp any any established access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny icmp any any access-list 101 deny ip any any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip any any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip any any access-list 105 remark SDM_ACL Category=2 access-list 105 remark IPSec Rule access-list 105 deny ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 105 permit ip 192.168.201.0 0.0.0.255 any no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 105 ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 access-class 102 in exec-timeout 0 0 privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 103 in exec-timeout 0 0 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17180045 ntp master ntp update-calendar ntp server 193.204.114.232 prefer ntp server 193.204.114.233 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! endVery thanks!!!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.