1. Home
  2. Cisco Systems
  3. VPN tunnel not working

VPN tunnel not working

Hi,

I got a Cisco 1841 router connecting to our Data Centre Cisco PIX

506E, I use SDM to create the tunnel between them. In the SDM of router 1841, i can see the tunnel is UP, but i can't ping any PC. SO can anyone advice how should i fix the problem.

Our configuartion are following PIX506E PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 domain-name zzz.com clock timezone HKST 8 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group service filetransfer tcp-udp description Use for File Transfer access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0

255.255.255.0 access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.22.0 255.255.255.0 access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list hk2-traffic permit ip 192.168.20.0 255.255.255.0 192.168.23.0 255.255.255.0 no pager logging on mtu outside 1500 mtu inside 1500 ip address outside 2.2.2.2 255.255.255.240 ip address inside 192.168.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.20.0 255.255.255.0 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 2.2.2.3 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.20.0 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set clientvpn esp-des esp-md5-hmac crypto ipsec transform-set strongsha esp-3des esp-sha-hmac crypto ipsec transform-set strongsha2 esp-3des crypto map mymap 60 ipsec-isakmp crypto map mymap 60 match address hk2-traffic crypto map mymap 60 set peer 1.1.1.1 crypto map mymap 60 set transform-set strongsha crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 28800 telnet 192.168.0.0 255.255.0.0 inside telnet timeout 60 console timeout 0 dhcpd address 192.168.20.100-192.168.20.200 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80

1841 Router:

version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname aaa ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret 5 $1$fJxA$M5Ox8KKSnJ2ZxNcmnUazZ/ ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! aaa session-id common clock timezone PCTime 8 ! crypto pki trustpoint TP-self-signed-3406761375 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3406761375 revocation-check none rsakeypair TP-self-signed-3406761375 ! ! crypto pki certificate chain TP-self-signed-3406761375 certificate self-signed 01 3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343036 37363133 3735301E 170D3038 30313037 30343033 31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34303637 36313337 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D82F 1654D333 AD975471 623E4405 3763BC06 E5B0434C 7C277355 E41C239C 0DF17C63 7FDF7F8B 80F7CF1E CEB2B552 D8C0DC74 B520AA1A 27A6D32B 3C1FDA31 DF23538A 1213B337 E5327BB3 CED34631 F3E33DF7 67E58788 BD2E703A EF02BB4E 6D9742D7 FA7B75A1 3A95FAC8 29710CD9 1434E375 EDF5ECC1 CD597426 77B2A9E8 50430203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 147DBC1F E84F373C EF11D658 DCB67575 99C97B37 F1301D06 03551D0E 04160414 7DBC1FE8 4F373CEF 11D658DC B6757599 C97B37F1 300D0609 2A864886 F70D0101 04050003 8181006C 684794A9 705EED62 AA2F8CD6 02EC5D42 82E41F8F C5794F33 351BBE74 30A8CD78 CF289D88 1778E2CE 903568D1 3832DDBC 1D3ACC0D B32B4D97 D7961AE0 553E066F 941DF9A8 21185942 3E8ADB59 36BA9109 E34B0D97 A640CD72 EDAEC211 E0340B45 074F43D3 E490025F 643D7A0C A60201A8 B457F6D0 02BFC672 6E1C96DA A76130 quit ! ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ****** address 2.2.2.2 ! crypto ipsec transform-set strongsha esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 2.2.2.2 set transform-set strongsha match address to-kddi ! no ip source-route ip cef ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-all sdm-cls-VPNOutsideToInside-1 match access-group 103 class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_VPN_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_VPN_PT match access-group 102 match class-map SDM_VPN_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-VPNOutsideToInside-1 class type inspect sdm-cls-VPNOutsideToInside-1 pass class class-default policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect SDM_VPN_PT pass class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-VPNOutsideToInside-1 ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$ $FW_OUTSIDE$ ip address 1.1.1.1 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security out-zone ip route-cache flow duplex auto speed auto no mop enabled crypto map mymap ! interface FastEthernet0/1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.23.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow duplex auto speed auto no mop enabled

ip route 0.0.0.0 0.0.0.0 1.1.1.2 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload ! ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended to-kddi remark SDM_ACL Category=4 permit ip 192.168.23.0 0.0.0.255 192.168.21.0 0.0.0.255 ip access-list extended to-office remark SDM_ACL Category=4 permit ip 192.168.23.0 0.0.0.255 192.168.20.0 0.0.0.255 ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.23.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 218.103.98.200 0.0.0.7 any access-list 101 remark SDM_ACL Category=2 access-list 101 deny ip 192.168.23.0 0.0.0.255 192.168.20.0

0.0.0.255 access-list 101 deny ip 192.168.23.0 0.0.0.255 192.168.21.0 0.0.0.255 access-list 101 permit ip 192.168.23.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=128 access-list 102 permit ip host 202.177.28.62 any access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip 192.168.21.0 0.0.0.255 192.168.23.0 0.0.0.255 access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255 no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 101
Reply to
hauchishum
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.