Hi, I am having some trouble getting a new router to work with my already established VPN. I have two 831s that are connected and working running 12.2. The newest router is a 871w and has newer IOS version 12.3. (are the version differences a problem?) Currently I can ping any of the routers from the new 871, but cannot ping inside the networks. Also I can ping the new router from the others but cannot ping a machine inside the network. Here are my configs--> Main office router first(10.10.1.1 internal network 10.10.0.x), then the other
831(10.20.1.1 internal 10.20.0.x) then the new 871w(10.30.1.1 internal 10.30.0.x). Thanks for any help it is very much appreciated.ROUTER 1 ROUTER 1
version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Hxxxx ! enable secret 5 $ enable password 7 0 ! username CRWS aaa new-model ! ! aaa authentication login Local local aaa authorization network default local aaa session-id common ip subnet-zero ip name-server x.x.x.x ip name-server x.x.x.x ip dhcp excluded-address 10.10.1.1 ip dhcp excluded-address 10.10.1.100 ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 10.10.0.1 10.10.0.30 ! ip dhcp pool CLIENT network 10.10.0.0 255.255.0.0 default-router 10.10.1.1 dns-server x.x.x.x x.x.x.x lease 0 2 ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 7 hash md5 authentication pre-share ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key xxxx address ROUTER 2 IP no-xauth crypto isakmp key xxxx address ROUTER 3 IP no-xauth ! crypto isakmp client configuration group VPNCLient key domain pool VPN-pool acl 103 ! ! crypto ipsec transform-set dun esp-3des esp-md5-hmac ! crypto dynamic-map dynamic 20 set transform-set dun ! ! crypto map vpn local-address Ethernet1 crypto map vpn client authentication list Local crypto map vpn isakmp authorization list local crypto map vpn client configuration address initiate crypto map vpn client configuration address respond crypto map vpn 10 ipsec-isakmp set peer ROUTER 2 IP set transform-set dun match address 101 crypto map vpn 12 ipsec-isakmp set peer ROUTER 3 IP set transform-set dun match address 104 crypto map vpn 20 ipsec-isakmp dynamic dynamic ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:
10.10.1.1-255.255.0.0 ip address 10.10.1.1 255.255.0.0 ip nat inside no ip mroute-cache no cdp enable hold-queue 32 in hold-queue 100 out ! interface Ethernet1 ip address x.x.x.x 255.255.255.0 ip nat outside no ip mroute-cache no cdp enable crypto map vpn ! ip local pool VPN-pool 192.168.250.1 192.168.250.254 ip nat inside source list 102 interface Ethernet1 overload ip nat inside source route-map nonat interface Ethernet1 overload ip nat inside source static tcp 10.10.10.1 10000 interface Ethernet1 10000 ip nat inside source static tcp 10.10.10.1 22 interface Ethernet1 22 ip nat inside source static tcp 10.10.0.5 69 interface Ethernet1 69 ip classless ip route 0.0.0.0 0.0.0.0 x.x.x.1 ip http server ! ! access-list 101 permit ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255 access-list 101 deny ip 10.10.0.0 0.0.255.255 any access-list 102 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255 access-list 102 deny ip 10.10.0.0 0.0.255.255 192.168.250.0 0.0.0.255 access-list 102 permit ip 10.10.0.0 0.0.255.255 any access-list 102 deny ip 10.10.0.0 0.0.255.255 10.30.0.0 0.0.255.255 access-list 103 permit ip 10.10.0.0 0.0.255.255 any access-list 104 permit ip 10.10.0.0 0.0.255.255 10.30.0.0 0.0.255.255 access-list 104 deny ip 10.10.0.0 0.0.255.255 any no cdp run route-map nonat permit 10 match ip address 102 ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 120 0 password 7 0205165E01165F7218 length 0 ! scheduler max-task-time 5000 end--------------------------------------------------------------------------------------------------------------
ROUTER 2 ROUTER 2
version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Dxxxxxx ! enable secret 5 enable password 7 ! username admin ip subnet-zero ip name-server 151.201.0.39 ip name-server 151.197.0.39 ip dhcp excluded-address 10.20.1.1 ip dhcp excluded-address 10.20.10.1 ! ip dhcp pool CLIENT network 10.20.0.0 255.255.0.0 default-router 10.20.1.1 dns-server x.x.x.x x.x.x.x lease 0 2 ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key xxxx address ROUTER 1 IP no-xauth crypto isakmp key xxxx address ROUTER 2 IP no-xauth ! ! crypto ipsec transform-set huntesp-3des esp-md5-hmac ! crypto map vpn 10 ipsec-isakmp set peer ROUTER 1 IP set transform-set hunt match address 101 crypto map vpn 12 ipsec-isakmp set peer ROUTER 3 IP set transform-set hunt match address 104 ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:
10.20.1.1-255.255.0.0 ip address 10.20.1.1 255.255.0.0 ip nat inside no ip mroute-cache no cdp enable hold-queue 32 in hold-queue 100 out ! interface Ethernet1 ip address x.x.x.x 255.255.255.0 ip nat outside no ip mroute-cache no cdp enable crypto map vpn ! ip nat inside source list 102 interface Ethernet1 overload ip nat inside source static tcp 10.20.10.1 22 interface Ethernet1 22 ip nat inside source static tcp 10.20.10.1 10000 interface Ethernet1 10000 ip classless ip route 0.0.0.0 0.0.0.0 x.x.x.x ip http server ! ! access-list 101 permit ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 101 deny ip 10.20.0.0 0.0.255.255 any access-list 102 deny ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 102 permit ip 10.20.0.0 0.0.255.255 any access-list 104 permit ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255 access-list 104 deny ip 10.20.0.0 0.0.255.255 any no cdp run ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 end-----------------------------------------------------------------------------------------------------------
NEW ROUTER 3 ROUTER 3
version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Lxxxxxxxx ! boot-start-marker boot-end-marker ! no logging buffered no logging console enable secret 5 $ ! username clock timezone PCTime 0 clock summer-time PCTime no aaa new-model ip subnet-zero no ip source-route ip cef ip dhcp excluded-address 10.30.0.1 ip dhcp excluded-address 10.30.0.255 10.30.255.254 ! ip dhcp pool sdm-pool1 import all network 10.30.0.0 255.255.0.0 dns-server x.x.x.x x.x.x.x default-router 10.30.1.1 ! ! ip tcp synwait-time 10 no ip bootp server ip name-server x.x.x.x ip name-server x.x.x.x ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key xxxx address ROUTER1 IP no-xauth crypto isakmp key xxxx address ROUTER2 IP no-xauth ! ! crypto ipsec transform-set hunt esp-3des esp-md5-hmac ! crypto map vpn 10 ipsec-isakmp set peer ROUTER 1 IP set transform-set hunt match address 101 crypto map vpn 12 ipsec-isakmp set peer ROUTER 2 IP set transform-set hunt match address 103 ! bridge irb ! ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ ip address ROUTER 3 IP 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable crypto map vpn ! interface Dot11Radio0 no ip address ! encryption key 1 size 128bit 7 4F2977474B5120126661798B3953 transmit- key encryption mode wep mandatory ! ssid bmzltown authentication open ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface BVI1 description $ES_LAN$ ip address 10.30.1.1 255.255.0.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet4 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source route-map nonat interface FastEthernet4 overload ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.30.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 100 permit ip 10.30.0.0 0.0.0.255 any access-list 101 permit ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 101 deny ip 10.30.0.0 0.0.255.255 any access-list 102 deny ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 102 permit ip 10.30.0.0 0.0.255.255 any access-list 103 permit ip 10.30.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 103 deny ip 10.30.0.0 0.0.255.255 any no cdp run route-map nonat permit 10 match ip address 100 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport preferred all transport output telnet line aux 0 login local transport preferred all transport output telnet line vty 0 4 privilege level 15 login local transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end