Question : Problem: Cisco NAT & VPN problems - review

I have 2 cisco 1710 vpn access routers with 12.3 ios with 3des encryption.
I have a router in st pete and one in chicago.

I can get the vpn up and i can ping the chicago address to the st. pete address. but what i cant figure out is some traffic must not be getting through the tunnel.

I need to browse (netbios) from one sit to the other, we have win 2003 servers that need to comunicate, but somehting is not working.  Cant authenticate from chicago to the st pete domain.
Below is both configs for both routers.


Chicgo Router ------------------------------------------------------------
!
version 12.3
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Chicago
!
!logging buffered 4096 debugging
!logging rate-limit console 10 except errors
enable secret 123
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
ip name-server 206.141.192.60
ip name-server 206.141.193.55
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 authentication pre-share
!
crypto isakmp policy 4
 hash md5
 authentication pre-share
crypto isakmp key somekey address xxx.xxx.184.100
!
!
crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map rtp 1 ipsec-isakmp
 set peer xxx.xxx.184.100
 set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
 match address 111

!This is so that nating does not happen when its tunnel traffic
interface loopback 1
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0
 description Connection to Internet
 ip address yy.yyy.173.186 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map rtp
!
interface FastEthernet0
 description Connection to Private Network
 ip address 192.168.2.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 no ip route-cache
 ip policy route-map nonat
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip nat pool NAT yy.yyy.173.186 yy.yyy.173.186 netmask 255.255.255.248
ip nat inside source list 104 pool NAT overload
!
ip nat inside source static tcp 192.168.2.2 3389 yy.yyy.173.186 3389 extendable
! WebServer
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 yy.yyy.173.190
no ip http server
!
!
access-list 101 permit esp any any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input
access-list 101 permit udp host xxx.xxx.184.100 host yy.yyy.173.186 eq isakmp
access-list 101 permit esp host xxx.xxx.184.100 host yy.yyy.173.186
access-list 101 permit ahp host xxx.xxx.184.100 host yy.yyy.173.186
access-list 101 permit ip host xxx.xxx.184.100 any
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any
access-list 101 permit udp any any tftp
access-list 101 permit tcp any host yy.yyy.173.186 eq 3389
access-list 101 deny   ip any any
!
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
access-list 103 deny   udp any any eq 21331
access-list 103 deny   tcp any any eq 139
access-list 103 deny   tcp any any eq 445
access-list 103 deny   udp any any eq tftp
access-list 103 deny   tcp any any eq 69
access-list 103 permit ip any any
!
!

access-list 104 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
!
!
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
access-list 120 deny ip 192.168.2.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
  match ip address 120
  set ip next-hop 10.1.1.2
!
!
no cdp run
!
!
!
line con 0
line aux 0
line vty 0 4
 access-class 2 in
 password 123 login
line vty 5 15
 login
!
end


----------------------------------
St pete router
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname StPete
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret 123
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
ip name-server 206.222.97.50
ip name-server 206.222.97.82
ip name-server 216.21.234.74
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 authentication pre-share
!
crypto isakmp policy 4
 hash md5
 authentication pre-share
crypto isakmp key somekey address yy.yyy.173.186
!
!
crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map rtp 1 ipsec-isakmp
 set peer yy.yyy.173.186
 set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
 match address 111
!
!
!
!This is so that nating does not happen when its tunnel traffic
interface loopback 1
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0
 description Connection to Internet
 ip address xxx.xxx.184.100 255.255.255.224
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map rtp
!
interface FastEthernet0
 description Connection to Private Network
 ip address 192.168.0.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 no ip route-cache
 ip policy route-map nonat
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip nat pool NAT xxx.xxx.184.100 xxx.xxx.184.100 netmask 255.255.255.192
ip nat inside source list 104 pool NAT overload
!
ip nat inside source static tcp 192.168.0.2 3389 xxx.xxx.184.100 3389 extendable
ip nat inside source static tcp 192.168.0.2 80 xxx.xxx.184.100 80 extendable
ip nat inside source static tcp 192.168.0.2 25 xxx.xxx.184.100 25 extendable
ip nat inside source static tcp 192.168.0.2 110 xxx.xxx.184.100 110 extendable
ip nat inside source static tcp 192.168.0.2 443 xxx.xxx.184.100 443 extendable
ip nat inside source static tcp 192.168.0.2 53 xxx.xxx.184.100 53 extendable
ip nat inside source static tcp 192.168.0.2 21 xxx.xxx.184.100 21 extendable
ip nat inside source static udp 192.168.0.2 53 xxx.xxx.184.100 53 extendable
!
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.0.6
ip route 0.0.0.0 0.0.0.0 xxx.xxx.184.97
no ip http server
!
!
!
!
access-list 101 permit esp any any
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log-input
access-list 101 permit udp host yy.yyy.173.186 host xxx.xxx.186.100 eq isakmp
access-list 101 permit esp host yy.yyy.173.186 host xxx.xxx.186.100
access-list 101 permit ahp host yy.yyy.173.186 host xxx.xxx.186.100
access-list 101 permit ip host yy.yyy.173.186 any
!
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq tftp
access-list 101 permit tcp any host xxx.xxx.184.100 eq 3389
access-list 101 permit tcp any host xxx.xxx.184.100 eq 25
access-list 101 permit tcp any host xxx.xxx.184.100 eq 110
access-list 101 permit tcp any host xxx.xxx.184.100 eq 80
access-list 101 permit tcp any host xxx.xxx.184.100 eq 443
access-list 101 permit tcp any host xxx.xxx.184.100 eq 53
access-list 101 permit udp any host  xxx.xxx.184.100 eq 53
access-list 101 permit tcp any host xxx.xxx.184.100 eq 21

access-list 101 deny ip any any log
!
!
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input
access-list 103 deny   udp any any eq 21331
access-list 103 deny   tcp any any eq 139
access-list 103 deny   tcp any any eq 445
access-list 103 deny   udp any any eq tftp
access-list 103 deny   tcp any any eq 69
access-list 103 permit ip any any
!
!
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
!
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input
!
!
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 log-input
access-list 120 deny ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
  match ip address 120
  set ip next-hop 10.1.1.2
!
no cdp run
!
!
!
line con 0
line aux 0
line vty 0 4
 access-class 2 in
 password 123
 login
line vty 5 15
 login
!
end

-----------------------------------------------

I should beable to browse from chicago to stpete.  I should be able to have a computer join a domain loacted in stpete.  I  should beable to authenticate a computer user logging on in chicago to the server in stpete (dns on the win 2003 box points to st pete domain dns)

George.

Answer : Problem: Cisco NAT & VPN problems - review

Couple of things here:

>set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
Choose ONE transform set common on both ends, do not use all 5


>!This is so that nating does not happen when its tunnel traffic
interface loopback 1
 ip address 10.1.1.1 255.255.255.0
>route-map nonat permit 10
  match ip address 120
  set ip next-hop 10.1.1.2
!

There is a better way to do this. Take the route-map off of the Lan interface and apply it instead to the nat process (mirrored on both sides)

route-map nonat permit 10
 match ip address 122

access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any

no ip nat inside source list 104 pool NAT overload
ip nat inside source route-map nonat pool NAT overload

interface fastethernet 0
 no ip policy route-map nonat

While troubleshooting, just remove acl 103 from the Ethernet interface. I see you've already removed 101 from the outside interface...



Random Solutions  
 
programming4us programming4us