I have the following network configuration:
LAN: 192.168.1.x/24
192.168.1.250 SonicWALL Public IP Address (connected via DSL) | | | Public IP Address (connected via DSL) SonicWALL 192.168.45.250 192.168.45.x/24 | | | 192.168.45.1 (fastEthernet 0/0) Cisco 1841 T1 Router 192.168.60.2 (serial line [csu/dsu]) | | 192.168.60.1 Cisco 1841 T1 Router 10.10.20.1 10.10.20/24There is a VPN tunnel between the 2 SonicWALL devices, and there is also a VPN tunnel between the two Cisco devices.
From a computer at 192.168.1.40, I can ping everyone no problem. However, I'm having some issues pinging the 10.10.20.0/24 subnet from the
192.168.1.0/24 subnet. It appears to be too slow. This is what I am experiencing:If I ping anyone on the 192.168.45.0/24 subnet from the 192.168.1.0/24 subnet, everything works fine and the pings appear to be coming back in about 20-40 milliseconds.
If I ping the 10.10.20.0/24 subnet from the 192.168.1.0/24 subnet, the pings will reply except that they take about 400 milliseconds to come back. Furthermore, when I initially start to ping the 10.10.20.0/24 subnet, the first couple of pings are lost. I'm assuming this is because the Cisco routers need to setup a VPN tunnel between them, but I have keepalives set, and I'm not sure when the tunnel doesn't stay up all of the time.
I'm going to paste the configurations of both routers below, but can anybody think of a way to speed up the T1 line between the 2 cisco routers? I don't want to lose any packets when I initially try to ping the 10.10.20.0/24 subnet from the 192.168.1.0/24 subnet, and I would like to have ICMP packets reply from the 10.10.20.0/24 subnet to the 192.168.1.0/24 subnet around the
40-60 millisecond time frame.Anybody got any ideas?
Thanks.
-- John
Router A 192.168.60.2:
Building configuration...
Current configuration : 3850 bytes ! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterA ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 xxx ! no aaa new-model clock summer-time EST recurring ip cef ! ! ip domain name yourdomain.com ! password encryption aes ! ! ! ip telnet source-interface FastEthernet0/0 ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key 6 xxx address 192.168.60.1 crypto isakmp keepalive 60 3 periodic ! ! crypto ipsec transform-set L2LTransform esp-aes 256 ! crypto map L2LMap 1 ipsec-isakmp set peer 192.168.60.1 set security-association level per-host set security-association lifetime seconds 86400 set security-association idle-time 86400 set transform-set L2LTransform set pfs group5 match address L2LAccess ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 192.168.45.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 192.168.60.2 255.255.255.0 ip access-group 101 in ip access-group 102 out encapsulation ppp service-module t1 timeslots 1-24 crypto map L2LMap ! ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ip route 192.168.1.0 255.255.255.0 192.168.45.250 ip route 192.168.5.0 255.255.255.0 192.168.45.250 ip route 192.168.40.0 255.255.255.0 192.168.45.250 ! ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip access-list extended L2LAccess permit ip 192.168.45.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.5.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255 ! access-list 101 permit udp host 192.168.60.1 eq isakmp host 192.168.60.2 eq isakmp access-list 101 permit esp host 192.168.60.1 host 192.168.60.2 access-list 101 permit icmp host 192.168.45.1 host 10.10.20.1 access-list 101 permit udp host 192.168.60.1 host 192.168.60.2 eq ntp access-list 101 deny ip any any log access-list 102 permit icmp host 10.10.20.1 host 192.168.45.1 access-list 102 permit udp host 192.168.60.2 eq isakmp host 192.168.60.1 eq isakmp access-list 102 permit esp host 192.168.60.2 host 192.168.60.1 access-list 102 permit udp host 192.168.60.2 eq ntp host 192.168.60.1 access-list 102 deny ip any any log ! ! control-plane ! banner login ^C
----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands.
username privilege 15 secret 0 no username cisco
Replace and with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to
------------------------------------------------
------------------------------------------------
------------------------------------------------
------------------------------------------------ Router B 192.168.60.1: Building configuration...
Current configuration : 3770 bytes ! ! No configuration change since last restart ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterB ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 xxx ! no aaa new-model ip cef ! ip domain name yourdomain.com ! password encryption aes ! ! ip tftp source-interface FastEthernet0/0 ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key 6 xxx address 192.168.60.2 crypto isakmp keepalive 60 3 periodic ! ! crypto ipsec transform-set L2LTransform esp-aes 256 ! crypto map L2LMap 1 ipsec-isakmp
set peer 192.168.60.2 set security-association level per-host set security-association lifetime seconds 86400 set security-association idle-time 86400 set transform-set L2LTransform set pfs group5 match address L2LAccess ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$ ip address 10.10.20.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0
ip address 192.168.60.1 255.255.255.0 ip access-group 101 in ip access-group 102 out encapsulation ppp service-module t1 timeslots 1-24 crypto map L2LMap ! ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ! ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip access-list extended L2LAccess permit ip 10.10.20.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 10.10.20.0 0.0.0.255 192.168.45.0 0.0.0.255 permit ip 10.10.20.0 0.0.0.255 192.168.5.0 0.0.0.255 permit ip 10.10.20.0 0.0.0.255 192.168.40.0 0.0.0.255 ! access-list 101 remark access list for serial access-list 101 permit udp host 192.168.60.2 eq isakmp host 192.168.60.1 eq isakmp access-list 101 permit esp host 192.168.60.2 host 192.168.60.1 access-list 101 permit icmp host 10.10.20.1 host 192.168.45.1 access-list 101 permit udp host 192.168.60.2 eq ntp host 192.168.60.1 access-list 101 deny ip any any log access-list 102 permit udp host 192.168.60.1 eq isakmp host 192.168.60.2 eq isakmp access-list 102 permit esp host 192.168.60.1 host 192.168.60.2 access-list 102 permit icmp host 192.168.45.1 host 10.10.20.1 access-list 102 permit udp host 192.168.60.1 host 192.168.60.2 eq ntp access-list 102 deny ip any any log access-list 102 remark access list for serial ! ! control-plane ! banner login ^C
----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands.
username privilege 15 secret 0 no username cisco
Replace and with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to