Cisco 837 Adsl to public IP

Hi

Its urgent I am trying to connect to a remote site which has a 837 Adsl router , a public ip is given as A.B.C.D , I have a Adsl 837 router with private Ip 192.168.1.1. the remote user should be able to ping my network and download data. I have alreday configured the adsl part the connectivity to remote site is not over , I can ping the the public ip , but cant ping the private ip 10.10.10.1 . Plz help

Router A Cisco 837 ( 192.168.1.1 ) ------------------------------ Router B cisco 837 (

10.10.10. 1 ) public ip A.B.C.D

Thanks and Regrads

Reply to
pinks
Loading thread data ...

It's normal you can not ping 10.10.10.1. RFC1918 private addresses are _not_routable_ over Internet.

You need to configure a tunnel between the 2 routers. If you need to transfer data the quickiest way in this moment is the mail protocol.

Alex.

Reply to
AM

Thanks for the reply

I have one public ip A. B.C. D which is connected to router B . Can I make a static route to this or I have to have a GRE Tunnel. Can I configure easy vpn . help needed i am new to this arears.

Regards

Reply to
pinks

Post the conf of the both without password and public IP. I can show you how to setup the tunnel

Alex.

Reply to
AM

take a look at this

formatting link

Reply to
rsurf

you can configure static route, but it's not going to move packets beyond next router because next router (presumably your provider) doesn't know where to route those packets with destination from private IP range. It's not enough for the first router to know how to forward packets to particular destinations, all routers on the way should know how to reach target.

With GRE you don't have problem described above because you wrap packets into another IP packets, which now have public IP of router B as destination. Configuring GRE tunnel between public IP of two routers should be enough unless you're concerned with what data you're transfering between addresses. Another solution is to use NAT for port-forwarding, but GRE seems to be easiest way to get things moving.

Kind regards, iLya

Reply to
Charlie Root

Thanks Alex forteh reply,

But I dont have any access to the other router , I have onlt this information , ecah for VPN tunnel i need a vpn key right which is configured on other side , i dont know that also .. Still any way of connecting it ?

Thanks

Reply to
pinks

Hi ilya

Thanks for the reply i have configured the router accordingly .here is the configuration

no aaa new-model ip subnet-zero ! ! ip inspect name ethernetin cuseeme timeout 3600 ip inspect name ethernetin ftp timeout 3600 ip inspect name ethernetin h323 timeout 3600 ip inspect name ethernetin http timeout 3600 ip inspect name ethernetin rcmd timeout 3600 ip inspect name ethernetin realaudio timeout 3600 ip inspect name ethernetin smtp timeout 3600 ip inspect name ethernetin sqlnet timeout 3600 ip inspect name ethernetin streamworks timeout 3600 ip inspect name ethernetin tcp timeout 3600 ip inspect name ethernetin tftp timeout 30 ip inspect name ethernetin udp timeout 15 ip inspect name ethernetin vdolive timeout 3600 ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 0 xxxxx address a.b.c.d ! ! crypto ipsec transform-set unionset esp-3des esp-md5-hmac ! crypto map union 1 ipsec-isakmp set peer a.b.c.d set transform-set unionset match address 101 ! ! ! ! interface Ethernet0 ip address 192.168.2.1 255.255.255.0 ip nat inside hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/50 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto hold-queue 224 in ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 dialer-group 2 ppp authentication pap callin ppp pap sent-username xxxxxx password xxxxx crypto map union ! ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.4.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 deny ip 192.168.2.0 0.0.0.255 any access-list 102 permit icmp any any unreachable access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any packet-too-big access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any traceroute access-list 102 permit icmp any any administratively-prohibited access-list 102 permit icmp any any echo access-list 102 permit esp any any access-list 102 permit udp any any eq isakmp access-list 102 deny ip any any access-list 120 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 120 permit ip 192.168.2.0 0.0.0.255 any dialer-list 2 protocol ip permit route-map nonat permit 10 match ip address 120 ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 120 0 password 7 011F0F0E5A040B5C731D login ! scheduler max-task-time 5000

But istill not able to establish the connection here is the debug output

Mar 1 00:28:51.803: ILMI(ATM0): Sending ilmiColdStart trap

*Mar 1 00:28:51.803: ILMI(ATM0): No ILMI VC found *Mar 1 00:28:51.803: ILMI: Encapsulation error on o/g ILMI Pdu (ATM0) *Mar 1 00:28:51.803: ILMI: Unable to Send Pdu out *Mar 1 00:28:52.895: *Mar 1 00:28:52.895: RX interrupt: conid =3D 3, rxBd =3D 0x3A00=FDx1 0x1 0x4 0x2 *Mar 1 00:28:52.903: Vi2 PPP: I pkt type 0x0021, datagramsize 50 link[ip]um=3D=F1 *Mar 1 00:28:52.903: IPpacketQ deq: s=3D217.164.55.150 (Dialer1), d=3D217.164.181.8, flags=3D0x280, tos=3D0x0, frag_offset=3D0 *Mar 1 00:28:52.903: TCP src=3D4943, dst=3D445, seq=3D2537213782, ack= =3D0, win=3D65535 SYN *Mar 1 00:28:52.903: IP: s=3D217.164.55.150 (Dialer1), d=3D217.164.181.8, len 48, rcvd 1 *Mar 1 00:28:52.911: tcp0: I LISTEN 217.164.55.150:4943 217.164.181.8:445 seq 2537213782 OPTS 8 SYN WIN 65535 *Mar 1 00:28:52.911: TCP: connection attempt to port 445 *Mar 1 00:28:52.911: TCP: sending RST, seq 0, ack 2537213783 *Mar 1 00:28:52.911: TCP: sent RST to 217.164.55.150:4943 from 217.164.181.8:445 *Mar 1 00:28:52.911: IP ARP: creating incomplete entry for IP address: 217.164.55.150 interface Dialer1 *Mar 1 00:28:52.915: IP ARP: sent req src 217.164.181.8 0012.807b.3967, dst 217.164.55.150 0000.0000.0000 Dialer1 *Mar 1 00:28:52.915: Di1 DDR: bridge (0x0806), 42 bytes, outgoing interesting (pppox over dialer) *Mar 1 00:28:52.915: DDR: FFFFFFFF FFFF0012 807B3967 08060001 08000604 00010012 *Mar 1 00:28:52.919: DDR: 807B3967 D9A4B508 00000000 0000D9A4 3796 *Mar 1 00:28:52.919: Di1 DDR: dialer_fsm_up() *Mar 1 00:28:52.919: Vi2 PPP: Outbound bridge packet dropped, BCP state is Listen *Mar 1 00:28:52.919: IP ARP: sent req src 192.168.2.1 0012.807b.3967, dst 217.164.55.150 0000.0000.0000 Ethernet0 *Mar 1 00:28:53.499: *Mar 1 00:28:53.499: RX interrupt: conid =3D 3, rxBd =3D 0x3A0053C, status =3D 0x1C20, length=3D94 *Mar 1 00:28:53.499: process_receive_packet: vcnum=3D1 encty 0xA2 0xD9 0xA4 0xB5 0x8 0x27 0x17 0x1A 0xE1 0x0 0x48 0xC9 0x3F 0xD9 0x9A 0xAD 0x98 0x3E 0xBA 0x10 0x82 0x0 0x0 0x4 0x6 0xB8 0x2F 0x67 0x73 0xD 0x0 0x0 0x0 0x0 0xD 0x4 0x91 0x35 0x3A 0xA2 0xD6 0xC5 0x9E 0xB3 0xA6 0xAB 0x0 0x0 0x1 0x9 0xA2 0xA3 0xA8 0x3B 0x14 0xED 0x42 0x79 0x4C 0x90 0x6A 0x71 0xDE 0x3E 0x9 0x6C 0x94 0xDF 0xBD 0x9B 0x19 0xF4 0x96 0x24 0x31 0x2 0x1E *Mar 1 00:28:53.523: Vi2 PPP: I pkt type 0x0021, datagramsize 94 link[ip] *Mar 1 00:28:53.523: IPpacketQ deq: s=3D145.53.58.162 (Dialer1), d=3D217.164.181.8, flags=3D0x280, tos=3D0x0, frag_offset=3D0 *Mar 1 00:28:53.523: UDP src=3D10007, dst=3D6881 *Mar 1 00:28:53.523: IP: s=3D145.53.58.162 (Dialer1), d=3D217.164.181.8, len 92, rcvd 1 *Mar 1 00:28:53.523: UDP: rcvd src=3D145.53.58.162(10007), dst=3D217.164.181.8(6881), length=3D72 *Mar 1 00:28:53.523: ICMP: dst (217.164.181.8) port unreachable sent to 145.53.58.162 *Mar 1 00:28:53.523: IP ARP: creating incomplete entry for IP address: 145.53.58.162 interface Dialer1 *Mar 1 00:28:53.527: IP ARP: sent req src 217.164.181.8 0012.807b.3967, dst 145=AE*Mar 1 00:28:53.531: DDR: 807B3967 D9A4B508 00000000 00009135 3AA2 *Mar 1 00:28:53.535: Di1 DDR: dialer_fsm_up() *Mar 1 00:28:53.535: Vi2 PPP: Outboun=FC8:53.703: Vi2 LCP-FS: I ECHOREQ [Open] id 22 len 8 magic 0x7FC57344 *Mar 1 00:28:53.703: Vi2 LCP-FS: O ECHOREP [Open] id 22 len 8 magic 0x12893103 dst 145.53.58.162 0000.0000.0000 Ethernet0 *Mar 1 00:28:53.539: IP: s=3D145.53.58.162 (Dialer1), d=3D217.164.181.8, len 92, dispose udp.noport *Mar 1 00:28:53.703: *Mar 1 00:28:53.703: RX interrupt: conid =3D 3, rxBd =3D 0x3A00548, status =3D 0x1C20, length=3D=F9 *Mar 1 00:28:53.707: c820_aal_send: pak =3D 0x813486A4, vc =3D 1, q =3D 1 *Mar 1 00:28:53.707: pquicc_sar_pak2txring: nextTxBd =3D 0x8171EF30, ring =3D 0x81204644 *Mar 1 00:28:53.707: pquicc_sar_add_pak_tx: packet TX=3D0x39C44A0, len=3D10, oam?=3D0 *Mar 1 00:28:53.707: TX interrupt: conid 3, usedTxBd: Shadow 0x8171EF30, Real 0x3A00F90 *Mar 1 00:28:53.707: pquicc_sar_safe_start: vc =3D 1 *Mar 1 00:28:53.803: ILMI(ATM0): Sending ilmiColdStart trap *Mar 1 00:28:53.803: ILMI(ATM0): No ILMI VC found *Mar 1 00:28:53.803: ILMI: Encapsulation error on o/g ILMI Pdu (ATM0) *Mar 1 00:28:53.803: ILMI: Unable to Send Pdu out *Mar 1 00:28:55.331: *Mar 1 00:28:55.331: RX interrupt: conid =3D 3, rxBd =3D 0x3A00554, status =3D 0x1C00, length=3D50 *Mar 1 00:28:55.335: process_receive_packet: vcnum=3D1 enctype=3D9 *Mar 1 00:28:55.335: Virtual-Access2: copy pkt, tmp->flags 0x280, idb->encsize 2 *Mar 1 00:28:55.335: size 50 0x0 0x21 0x45 0x0 0x0 0x30 0xBC 0xC1 0x40 0x0 0x6D 0x6 0xFE 0xED 0xC4 0xCA 0xFE 0xA0 0xD9 0xA4 0xB5 0x8 0xB 0xB4 0x1A 0xE1 0x43 0x77 0xF4 0x92 0x0 0x0 0x0 0x0 0x70 0x2 0xFA 0xF0 0xD7 0x76 0x0 0x0 0x2 0x4 0x5 0xB4 0x1 0x1 0x4 0x2 *Mar 1 00:28:55.343: Vi2 PPP: I pkt type 0x0021, datagramsize 50 link[ip] *Mar 1 00:28:55.343: IPpacketQ deq: s=3D196.202.254.160 (Dialer1), d=3D217.164.181.8, flags=3D0x280, tos=3D0x0, frag_offset=3D0 *Mar 1 00:28:55.343: TCP src=3D2996, dst=3D6881, seq=3D1131934866, ack=3D0, win=3D64240 SYN *Mar 1 00:28:55.347: IP: s=3D196.202.254.160 (Dialer1), d=3D217.164.181.8, len 48, rcvd 1 *Mar 1 00:28:55.347: tcp0: I LISTEN 196.202.254.160:2996 217.164.181.8:6881 seq 1131934866 OPTS 8 SYN WIN 64240 *Mar 1 00:28:55.347: TCP: connection attempt to port 6881 *Mar 1 00:28:55.347: TCP: sending RST, seq 0, ack 1131934867 *Mar 1 00:28:55.347: TCP: sent RST to 196.202.254.160:2996 from 217.164.181.8:6881 *Mar 1 00:28:55.351: IP ARP: sent req src 217.164.181.8 0012.807b.3967, dst 196.202.254.160 0000.0000.0000 Dialer1 *Mar 1 00:28:55.351: Di1 DDR: bridge (0x0806), 42 bytes, outgoing interesting (pppox over dialer) *Mar 1 00:28:55.351: DDR: FFFFFFFF FFFF0012 807B3967 08060001 08000604 00010012 *Mar 1 00:28:55.355: DDR: 807B3967 D9A4B508 00000000 0000C4CA FEA0 *Mar 1 00:28:55.359: Di1 DDR: dialer_fsm_up() *Mar 1 00:28:55.359: Vi2 PPP: Outbound bridge packet dropped, BCP is Closed [starting negotiations] *Mar 1 00:28:55.359: Vi2 BCP: State is Listen

Could anyone tell me what is wrong.???

Urgent=20

Thanks and Regards

Reply to
pinks

I'd suggest to start with minimum features, then add them as other things get running.

Make sure that your IOS image supports 3DES

Add following line here:

ip tcp adjust-mss 1460

See also below for changes on Dialer1

Add following two lines:

mtu 1492 ip virtual-reassembly

^^^^^ You don't really need this line unless you really want Dial-on-Demand style connection, which usually doesn't have any benefits with xDSL connections unless you have time-based service contract. Also, add following line to avoid disconnects:

dialer idle-timeout 0

If I remember correct, you don't need to exclude IPsec traffic from NAT explicitly as it's done anyway, but I may be mistaking this with PIX behaviour.

^^^^ You better disable this.

you're missing 'permit' for reverse direction, i.e.:

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255

and you don't need explicit 'deny' statement at the end, as default is 'deny any any'

You need to disable ILMI (no atm autoconfiguration on ATM0 interface), though this is not really big problem and shouldn't affect your connectivity.

...

...

You seem to be always getting different IP address, that won't work with static IPsec configuration. If the other end has static public IP you could try configuring your side with 'crypto ipsec client ezvpn'.

By the way, does your ADSL connection come up at all? It looks like you got three different addresses within one second!

/iLya

Reply to
Charlie Root

Thanks Charlie , U R the Man , but I am not able to ping the private ip of the main remote router . where as the other office which has the same configuration is able to establish a network with the private ip of the main router I will explain you in details B router can ping the private ip of the main router , where as my router say A cannot do it . I am attaching the configuration file of Main Router , B router and my router .

Main Router

no aaa new-model ip subnet-zero ip name-server xxxxxx ip name-server xxxxxx ip dhcp excluded-address 10.10.10.1 ! ! ip audit notify log ip audit po max-events 100 vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ip mtu adjust ! no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set saadset esp-3des esp-md5-hmac ! crypto dynamic-map saadmap 10 set transform-set saadset match address 101 ! ! crypto map saadtrans 10 ipsec-isakmp dynamic saadmap ! ! ! ! interface Ethernet0 ip address 10.10.10.1 255.255.255.0 ip nat inside ip tcp adjust-mss 1432 hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in ! interface ATM0.1 point-to-point pvc 0/35 pppoe-client dial-pool-number 1 ! ! ! interface Dialer1 mtu 1432 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname username ppp chap password password ppp pap sent-username password 7 crypto map saadtrans ! ip nat inside source route-map nonat interface Dialer1 overload ip nat inside source static 10.10.10.100 x.x.x.x ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 101 permit ip 10.10.10.0 0.0.0.255 any access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 101 deny ip 10.10.10.0 0.0.0.255 any access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 120 deny ip 10.10.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 120 permit ip 10.10.10.0 0.0.0.255 any access-list 120 deny ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255 dialer-list 1 protocol ip permit route-map nonat permit 10 match ip address 120 ! !

here is the router B configuration which can establish connection no aaa new-model ip subnet-zero ! ! ip inspect name ethernetin cuseeme timeout 3600 ip inspect name ethernetin ftp timeout 3600 ip inspect name ethernetin h323 timeout 3600 ip inspect name ethernetin http timeout 3600 ip inspect name ethernetin rcmd timeout 3600 ip inspect name ethernetin realaudio timeout 3600 ip inspect name ethernetin smtp timeout 3600 ip inspect name ethernetin sqlnet timeout 3600 ip inspect name ethernetin streamworks timeout 3600 ip inspect name ethernetin tcp timeout 3600 ip inspect name ethernetin tftp timeout 30 ip inspect name ethernetin udp timeout 15 ip inspect name ethernetin vdolive timeout 3600 ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 0 xxxxx address A.B.C.D ! ! crypto ipsec transform-set unionset esp-3des esp-md5-hmac ! crypto map union 1 ipsec-isakmp set peer A.B.C.D set transform-set unionset match address 101 ! ! ! ! interface Ethernet0 ip address 192.168.4.210 255.255.255.0 ip nat inside hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/50 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto hold-queue 224 in ! ! ! interface Dialer1 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 dialer-group 2 ppp authentication pap callin ppp pap sent-username password crypto map union ! ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.4.0 0.0.0.255 access-list 101 permit ip 192.168.4.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 deny ip 192.168.4.0 0.0.0.255 any access-list 102 permit icmp any any unreachable access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any packet-too-big access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any traceroute access-list 102 permit icmp any any administratively-prohibited access-list 102 permit icmp any any echo access-list 102 permit esp any any access-list 102 permit udp any any eq isakmp access-list 102 deny ip any any access-list 120 deny ip 192.168.4.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 120 permit ip 192.168.4.0 0.0.0.255 any dialer-list 2 protocol ip permit route-map nonat permit 10 match ip address 120

And my router has the same configuration of B which has private address in range 192.168.2.1

I dont know why it does not work?? Any ideas

Thanks and Regards

Reply to
pinks

Is your DSL connection up? From previous debug it looked like there is connectivity problem.

Kind regards, iLya

Reply to
Charlie Root

Thanks

Yes it's up and i am able to ping the public ip and use the internet .

Help appreciated

Thanks in Advance

Reply to
pinks

...

...

Which of this addresses are yours and which are on the other side?

Kind regards, iLya

Reply to
Charlie Root

my router address is 192.168.2.1 , while on the other side its

10.10.10.1

where as the b router has ip 192.168.4.210 works fine the other side being 10.10.10.1

Thanks

Reply to
pinks

I was talking about public IP of your routers.

Kind regards, iLya

Reply to
Charlie Root

I have a network in 192.168.2.1 whit a public ip on other side starting with 213.x.x.x

Router B has the range 192.168.4.210 with the same public ip 213.x.x.x which works fine.

Thanks

Reply to
pinks

make sure you don't press spacebar and question mark when typing your key password. In any case you should run following debugs to find out whether IPsec comes up and if not it will tell you why:

deb crypto isakmp deb crypto isakmp err deb crypto ipsec deb crypto ipsec err

also try:

ping size 1500 df-bit to see if you don't have MTU problem. If IPsec is up but you still don't have connectivity, remove your access-lists on the wan and lan interfaces to check if they're source of the problem.

Kind regards, iLya

Reply to
Charlie Root

Thanks Charlie Root , Now I m abale to connect to the main router Iwhen I change the configuration from 192.168.2.1 to 192.168.4.1 its works fine but it does npt allow me to establish a connetion with 192.168.2.1 where as the main router 192.168.2.1 is given access in the access-lists . Could any one explain me why its that now both routters that connect in are in the same subnet that 192.168.4.0.

Any explanations

Thanks and Regards

Reply to
pinks

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.