Announcement

Collapse
No announcement yet.

2 Ciscos - Site-to-Site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 Ciscos - Site-to-Site

    Hi,
    I'm new im this forum.
    I Implemented an Site-to-Site VPN With 2 Ciscos 877.
    SITE A:
    Public IP Adreess: Static
    Internal IP Adrees: 192.168.0.XXX
    Mask: 255.255.255.0
    SITE B:
    Public IP Adreess: Dynamic
    Internal IP Adress: 192.168.2.XXX
    Mask: 255.255.255.0

    I manage to ping on both sides, but i cant access files shares, and could rdp on any server on site A, by Internal IP.
    Where is the SITE A Startup Config:
    Code:
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname leiria
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200
    logging console critical
    enable secret 5 XXXXX.
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local 
    aaa authorization network sdm_vpn_group_ml_1 local 
    !
    !
    aaa session-id common
    clock timezone London 0
    clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-822649437
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-822649437
     revocation-check none
     rsakeypair TP-self-signed-822649437
    !
    !
    crypto pki certificate chain TP-self-signed-822649437
     certificate self-signed 01 nvram:IOS-Self-Sig#C.cer
    dot11 syslog
    no ip source-route
    ip cef
    !
    !
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name bpn.local
    !
    multilink bundle-name authenticated
    !
    !
    username admin privilege 15 secret 5 XXXXX
    username cps secret 5 XXXXX! 
    !
    crypto isakmp policy 1
     encr aes 256
     authentication pre-share
    crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 10
    crypto isakmp nat keepalive 20
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 
    crypto ipsec df-bit clear
    crypto ipsec nat-transparency spi-matching
    !
    crypto dynamic-map SDM_DYNMAP_1 1
     set transform-set ESP-3DES-SHA 
     match address 100
    !
    !
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
    !
    archive
     log config
      hidekeys
    !
    !
    ip tcp mss 1412
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    class-map match-all ipnat-class-rmap-SDM_RMAP_1
    !
    !
    policy-map ipnat-policyxx-in2out
     class ipnat-class-rmap-SDM_RMAP_1
    policy-map ipnat-policyxx-out2in
    !         
    !
    !
    !
    interface ATM0
     no ip address
     ip route-cache flow
     no atm ilmi-keepalive
     dsl operating-mode auto 
    !
    interface ATM0.1 point-to-point
     description $ES_WAN$$FW_OUTSIDE$
     pvc 0/35 
      pppoe-client dial-pool-number 1
     !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
     description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
     ip address 192.168.0.254 255.255.255.0
     ip mtu 1452
     ip nat inside
     ip virtual-reassembly
     ip route-cache flow
     ip tcp adjust-mss 1372
    !
    interface Dialer0
     ip address 83.240.167.218 255.255.255.0
     ip mtu 1452
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip route-cache flow
     ip tcp adjust-mss 1412
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication chap pap callin
     ppp chap hostname XXXX
     ppp chap password 7 XXXXXXX
     ppp pap sent-username XXXXX password 7 XXXXXXXX
     crypto map SDM_CMAP_1
     service-policy output ipnat-policyxx-in2out
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    !         
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 192.168.0.1 1494 interface Dialer0 1494
    ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
    ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IP Protect Carregado
    access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 100 remark IP Protect Matosinhos
    access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=2
    access-list 101 remark IP Deny Carregado
    access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 remark IP Deny Matosinhos
    access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 remark IP Permit Carregado
    access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 remark IP Permit Matosinhos
    access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 192.168.0.0 0.0.0.255 0.0.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    !
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    !
    !
    control-plane
    !
    banner exec ^C
    % Password expiration warning.
    -----------------------------------------------------------------------
     
    Cisco Router and Security Device Manager (SDM) is installed on this device and 
    it provides the default username "cisco" for  one-time use. If you have already 
    used the username "cisco" to login to the router and your IOS image supports the 
    "one-time" user option, then this username has already expired. You will not be 
    able to login to the router with this username after you exit this session.
     
    It is strongly suggested that you create a new username with a privilege level 
    of 15 using the following command.
     
    username <myuser> privilege 15 secret 0 <mypassword>
     
    Replace <myuser> and <mypassword> with the username and password you want to 
    use.
     
    -----------------------------------------------------------------------
    ^C
    banner login ^CAuthorized access only!
     Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
     no modem enable
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     privilege level 15
     transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17175067
    ntp server 82.219.4.31 source Dialer0 prefer
    ntp server 195.22.25.130 source Dialer0 prefer
    end
    Last edited by msource; 12th November 2010, 15:52.

  • #2
    Re: 2 Ciscos - Site-to-Site

    SITE B:

    Code:
    Using 6169 out of 131072 bytes
    !
    ! Last configuration change at 13:41:45 London Fri Nov 12 2010 by admin
    ! NVRAM config last updated at 13:42:10 London Fri Nov 12 2010 by admin
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname bpn-matosinhos
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    logging console critical
    enable secret 5 XXXXXX.
    !
    no aaa new-model
    clock timezone London 0
    clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-1999782238
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1999782238
     revocation-check none
     rsakeypair TP-self-signed-1999782238
    !
    !
    crypto pki certificate chain TP-self-signed-1999782238
     certificate self-signed 01 nvram:IOS-Self-Sig#9.cer
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.2.254
    !
    ip dhcp pool ccp-pool1
       import all
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.254 
       dns-server 62.48.131.10 62.48.131.11 
    !
    !
    ip domain name dyndns.org
    ip name-server 62.48.131.10
    ip name-server 62.48.131.11
    ip ddns update method sdm_ddns1
    !
    !
    !
    !
    username admin privilege 15 secret 5 XXXXXXX/
    ! 
    !
    crypto isakmp policy 1
     encr aes 256
     authentication pre-share
    crypto isakmp key XXXXX address 83.240.167.218 no-xauth
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec df-bit clear
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Tunnel BPN Leiria
     set peer 83.240.167.218
     set transform-set ESP-3DES-SHA 
     match address 100
    !
    archive
     log config
      hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    interface ATM0
     no ip address
     ip route-cache flow
     no atm ilmi-keepalive
     dsl operating-mode auto 
    !
    interface ATM0.1 point-to-point
     description $FW_OUTSIDE$$ES_WAN$
     pvc 0/35 
      oam-pvc manage
      pppoe-client dial-pool-number 1
     !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !         
    interface Vlan1
     description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
     ip address 192.168.2.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip route-cache flow
     ip tcp adjust-mss 1412
    !
    interface Dialer0
     ip address negotiated
     ip mtu 1452
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip route-cache flow
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication chap pap callin
     ppp chap hostname XXXXXXX
     ppp chap password 7 XXXXXXX
     ppp pap sent-username XXXXXXXe password 7 XXXXXXX
     crypto map SDM_CMAP_1
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 192.168.2.254 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.2.254 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.2.254 22 interface Dialer0 22
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=16
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.2.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark Leiria
    access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 100 remark All TCP Permit
    access-list 100 permit tcp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 100 remark UDP Permit ALl
    access-list 100 permit udp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=2
    access-list 101 remark UDP Permit ALl
    access-list 101 deny   udp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 remark All TCP Permit
    access-list 101 deny   tcp 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 remark UDP Permit any
    access-list 101 permit udp 0.0.0.0 255.255.255.0 any
    access-list 101 remark TCP Permit Any
    access-list 101 permit tcp 0.0.0.0 255.255.255.0 any
    access-list 101 remark CCP_ACL Category=2
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    !
    !
    control-plane
    !
    banner exec ^C
    % Password expiration warning.
    -----------------------------------------------------------------------
     
    Cisco Configuration Professional (Cisco CP) is installed on this device 
    and it provides the default username "cisco" for  one-time use. If you have 
    already used the username "cisco" to login to the router and your IOS image 
    supports the "one-time" user option, then this username has already expired. 
    You will not be able to login to the router with this username after you exit 
    this session.
     
    It is strongly suggested that you create a new username with a privilege level 
    of 15 using the following command.
     
    username <myuser> privilege 15 secret 0 <mypassword>
     
    Replace <myuser> and <mypassword> with the username and password you 
    want to use.
     
    -----------------------------------------------------------------------
    ^C
    banner login ^CAuthorized access only!
     Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
     login local
     no modem enable
     transport output telnet
    line aux 0
     login local
     transport output telnet
    line vty 0 4
     privilege level 15
     login local
     transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17182104
    ntp server 84.90.94.144 source Dialer0 prefer
    ntp server 195.22.25.130 source Dialer0 prefer
    end
    Could please some one help me on this? I'm new on Ciscos Routers.
    Last edited by msource; 12th November 2010, 15:53.

    Comment


    • #3
      Re: 2 Ciscos - Site-to-Site

      fix your configs - even though you have the passwords for the dialer hashed, they can be very quickly and easily decrypted.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: 2 Ciscos - Site-to-Site

        on try a traceroute from your computer, see where the packets go.

        you've got route default dialer0 on both - you may need to route between them.
        it could also be access lists - make sure you allow 192.168.0.0/24 to access 192.168.2.0/24 and vice versa

        there are some debug commands you could use as well to work out why it's not working, but I forget them..\
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: 2 Ciscos - Site-to-Site

          Hi,

          I can ping on both sides to any of the machines that are in both networks, with sucessefuly 100%.

          I cant file share, rdp to machines, internar dns, active directory, domain, etc...

          I have both acls's, i thing.

          What king off route do you mean?

          Comment


          • #6
            Re: 2 Ciscos - Site-to-Site

            when you ping the servers on the remote end, are you using IP addresses, or host names ?

            try using wireshark at one end to see what's happening?
            or debug ?

            see also if you can turn off NAT between the wto sites - you want to route from SiteA to SiteB and vice versa, and only NAT over the internet

            you also have hardset an MTU of 1492 on R1 for both VLAN1 and Dialer0, but on R2 it's only on Dialer0 (Or vlan1, I forget)
            could be important, could not matter at all

            i'm merely taking pot shots at things I think it could be here
            Last edited by tehcamel; 12th November 2010, 17:28.
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: 2 Ciscos - Site-to-Site

              Hi,

              I'm using Internal IP's. Ex:

              SITE B:
              From IP: 192.168.2.1

              TO

              SITE A:
              To: 192.168.0.1 | 192.168.0.2 | etc...

              I ping all the IP's, and vice versa to. If i tried ping to host, i cannot ping, because i cannot resolve dns names from SITE A AD | DNS server: 192.168.0.1 Host: server.

              Comment


              • #8
                Re: 2 Ciscos - Site-to-Site

                can you telnet to the administrative interface of the router at the remote end?

                ie, from Router1, telnet to the internal interface (192.168.2.254) of the other router?
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: 2 Ciscos - Site-to-Site

                  Hi,

                  No, i cant telnet both internal interfaces:

                  leiria#telnet 192.168.2.254
                  Trying 192.168.2.254 ...
                  % Connection timed out; remote host not responding
                  bpn-matosinhos#telnet 192.168.0.254
                  Trying 192.168.0.254 ...
                  % Connection timed out; remote host not responding
                  What this mean's?

                  Comment


                  • #10
                    Re: 2 Ciscos - Site-to-Site

                    it sounds like you're only allowing ICMP across your tunnel
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment


                    • #11
                      Re: 2 Ciscos - Site-to-Site

                      Hi,

                      And how can i allow TCP and UDP?
                      I'm have:

                      access-list 101 permit tcp 192.168.2.0 0.0.0.255 any
                      access-list 101 permit udp 192.168.2.0 0.0.0.255 any

                      But it dosen't work... Some one please help me?

                      Sincerely,
                      msource
                      Last edited by msource; 15th November 2010, 11:02.

                      Comment

                      Working...
                      X