site 2 site vpn problems

Hello all,

I'm having a problem with a site-to-site vpn tunnel between a cisco 871 and some d-link routers at branch locations.

Once I installed the 871 I had the s2s tunnels up with what appeared to be no problem. On the 871 side I could connect to the remote branch equipment, however, from the remote branch side they could not connect back to the servers at corp, but they could ping anything.

In my experience this is normally an MTU problem. Sadly when I went to configure the interface (FastEthernet4) with "ip mtu 1450", I got an error stating that the interface did not have a "user settable mtu"?? I then tried the "ip tcp adjust-mss" statement which appeared to have no effect and based on my reading that is for PPPoE connections anyway.

Thus I decided to put their original router (DI-804HV) back in place and carry one of the cisco's to my office and work on the config there. I created a tunnel back to their dlink which would simulate the "Branch" problem and with the configuration below they can connect to all servers at my location EXCEPT one, which really has me confused, because I can put my 804HV back in place and then they can connect to that server.

The big difference between the two locations is they are running a T1 with an adtran and I am running business aDSL.

So my questions are;

1) How do you adjust the MTU's on the FastEthernet4 device?

2) Why would one particular server (redhat linux) be reachable via ping but no other method (I've lowed the MTU's on that machine)?

Sorry for the long post but being a Cisco group you folks are probably used to it. ;-D

=============================================================================== Building configuration...

Current configuration : 12166 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname c871 ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx. ! no aaa new-model ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip cef ! ! ip port-map user-Apache port tcp 80 list 2 description http ip port-map user-smtp port tcp 25 list 3 description smtp ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 user-Apache ip inspect name DEFAULT100 user-smtp ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip tcp synwait-time 10 no ip bootp server ip domain name helpconsulting.net ip name-server 166.102.165.11 ip name-server 166.102.165.13 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-406846317 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-406846317 revocation-check none rsakeypair TP-self-signed-406846317 ! ! crypto pki certificate chain TP-self-signed-406846317 certificate self-signed 01 3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34303638 34363331 37301E17 0D303230 33303130 35303632 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3430 36383436 33313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 BFCB7B5D DF7618AF A39ABA10 62C7EA50 614AB0A3 F6867B14 B6DE7859 F1958B93 63D509D0 C889EE1F CD68DC13 C7C9F6BA A710B730 C51D661E 7289F4F7 617762DB 6CE8BBF1 E078482E 69657B95 0242D104 1E53B4A9 0C507825 2C6C1999 EAB59D99 D2E819A7 E44C3414 D663F0E8 AB4DAB05 E7EDA7CD BD23772F A8DFE128 4F5A0AF1 02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D 11041B30 19821763 3837312E 68656C70 636F6E73 756C7469 6E672E6E 6574301F 0603551D 23041830 1680148F 97686BC4 13D63FAF 732AB47F CE61CD09 925DA330 1D060355 1D0E0416 04148F97 686BC413 D63FAF73 2AB47FCE 61CD0992 5DA3300D 06092A86 4886F70D 01010405 00038181 0012B27D CA017702 1AA76427 84D5C001 07578F36 12D2E527 7D4594BC E46194B3 DD725A49 103487A1 34E2F000 E2A89282 EC5AB605 ADF38011 FB5AEEC9 78D7C720 A266B305 9762D3F8 60187465 1FB04D3B 6E1775AB 5579090C 8EC4FF87 9BA762F1 EBA39900 49BF66D9 64F1567F 180A1FCC FFAC5A3B 3A70CD57 4898EFAD D99D3D7D 87 quit username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 authentication pre-share group 2 lifetime 28800 crypto isakmp key xxxxxxxx address 70.43.141.26 crypto isakmp key xxxxxxxx address 71.31.56.235 ! ! crypto ipsec transform-set techsupp esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to70.43.141.26 set peer 70.43.141.26 set transform-set techsupp match address 111 ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.10.1 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! interface Dialer0 description $FW_OUTSIDE$ ip address 71.29.29.185 255.255.255.252 ip access-group 105 in ip mtu 1450 ip inspect SDM_LOW out ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1450 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxx ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx crypto map SDM_CMAP_1 crypto ipsec df-bit clear ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 192.168.10.10 110 interface Dialer0 110 ip nat inside source static tcp 192.168.10.10 22 interface Dialer0 22 ip nat inside source static tcp 192.168.10.10 25 interface Dialer0 25 ip nat inside source static tcp 192.168.10.168 80 interface Dialer0 1234 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static tcp 192.168.10.10 80 interface Dialer0 80 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.10.10 access-list 3 remark SDM_ACL Category=1 access-list 3 permit 192.168.10.10 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp any eq bootps any eq bootpc access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 71.29.29.184 0.0.0.3 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 permit tcp any host 71.29.29.186 eq www access-list 103 permit udp host 166.102.165.13 eq domain host 71.29.29.186 access-list 103 permit udp host 166.102.165.11 eq domain host 71.29.29.186 access-list 103 deny ip 192.168.10.0 0.0.0.255 any access-list 103 permit icmp any host 71.29.29.186 echo-reply access-list 103 permit icmp any host 71.29.29.186 time-exceeded access-list 103 permit icmp any host 71.29.29.186 unreachable access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 permit udp host 166.102.165.13 eq domain host 71.29.29.185 access-list 104 permit udp host 166.102.165.11 eq domain host 71.29.29.185 access-list 104 deny ip 192.168.10.0 0.0.0.255 any access-list 104 permit icmp any host 71.29.29.185 echo-reply access-list 104 permit icmp any host 71.29.29.185 time-exceeded access-list 104 permit icmp any host 71.29.29.185 unreachable access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any log access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 permit ip 192.168.10.0 0.0.0.255 10.0.90.0 0.0.0.255 access-list 105 permit udp any host 71.29.29.185 eq non500-isakmp access-list 105 permit udp any host 71.29.29.185 eq isakmp access-list 105 permit esp any host 71.29.29.185 access-list 105 permit ahp any host 71.29.29.185 access-list 105 remark IPSec Rule access-list 105 permit ip 10.0.90.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 105 permit gre host 70.43.141.26 host 71.29.29.185 access-list 105 remark IPSec Rule access-list 105 permit udp host 70.43.141.26 host 71.29.29.185 eq non500-isakmp access-list 105 permit udp host 70.43.141.26 host 71.29.29.185 eq isakmp access-list 105 permit esp host 70.43.141.26 host 71.29.29.185 access-list 105 permit ahp host 70.43.141.26 host 71.29.29.185 access-list 105 permit tcp any host 71.29.29.185 eq 22 access-list 105 permit tcp any host 71.29.29.185 eq www access-list 105 permit tcp any host 71.29.29.185 eq smtp access-list 105 remark POP3 access-list 105 permit tcp any host 71.29.29.185 eq pop3 access-list 105 remark PhoneServer access-list 105 permit tcp any host 71.29.29.185 eq 1234 access-list 105 permit udp host 166.102.165.13 eq domain host 71.29.29.185 access-list 105 permit udp host 166.102.165.11 eq domain host 71.29.29.185 access-list 105 deny ip 192.168.10.0 0.0.0.255 any access-list 105 permit icmp any host 71.29.29.185 echo-reply access-list 105 permit icmp any host 71.29.29.185 time-exceeded access-list 105 permit icmp any host 71.29.29.185 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 107 remark SDM_ACL Category=2 access-list 107 deny ip 10.0.90.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 107 remark IPSec Rule access-list 107 deny ip 192.168.10.0 0.0.0.255 10.0.90.0 0.0.0.255 access-list 107 permit ip 192.168.10.0 0.0.0.255 any access-list 111 remark SDM_ACL Category=4 access-list 111 remark IPSec Rule access-list 111 permit ip 192.168.10.0 0.0.0.255 10.0.90.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 107 ! ! control-plane ! banner login ^CCCCCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

Reply to
Ken
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.