site-to-site VPN between a 1721 and a 857

Hello there. I am rather new at this, but I spent quite some time on it with
not much of a result so far. Here's the situation : I have setup a site to
site VPN between a Cisco 1721 and a Cisco 857. The tunnel comes up, and I
can do some things accross it, like :

- from a machine in LAN A, I can ping the interface of the other router in
LAN B.
- I can do the opposite as well.
- but, when I ping a machine of LAN B from a machine of LAN A, only the
first packet comes back ! This is also true if I ping A from B. If I wait a
couple minutes, I can do it again, and with the same result : first packet
gets an answer, not the others!

For those interested in the problem, here are sanitized configs :

On the 857 side :
---
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname company-gentilly
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
username theboss privilege 15 password 0 password
clock timezone PCTime 1
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.241.151.64 10.241.151.254
ip dhcp ping timeout 1000
!
ip dhcp pool sdm-pool
import all
network 10.241.151.0 255.255.255.0
default-router 10.241.151.254
dns-server 10.241.17.2 80.80.80.1
netbios-name-server 10.241.17.10
!
ip dhcp pool poste1
host 10.241.151.1 255.255.255.0
client-identifier 0040.ca5e.0b05
client-name poste1
!
ip dhcp pool poste2
host 10.241.151.2 255.255.255.0
client-identifier 0010.b5ff.ac9d
client-name poste2
!
ip dhcp pool imprimante
host 10.241.151.10 255.255.255.0
client-identifier 0001.e6aa.ea8b
client-name imprimante
!
!
no ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip name-server 80.80.80.1
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key a1s2d3f4g5 address 81.81.81.216
crypto isakmp key a1s2d3f4g5 address 81.171.158.190
!
!
crypto ipsec transform-set togodo-transform-set esp-des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set md5-des-tunnel esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel vers siege company
set peer 81.81.81.216
set security-association lifetime seconds 86400
set transform-set togodo-transform-set
set pfs group2
match address 102
reverse-route
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel vers UK
set peer 81.171.158.190
set transform-set togodo-transform-set
match address 103
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.241.151.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname togodocompany8@xxxxxxxxxxxxxxxxxxx
ppp chap password 0 pbofsa123*
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat outside source static tcp 81.81.81.224 5901 10.241.151.1 5900
extendable
ip nat outside source static tcp 81.81.81.224 5902 10.241.151.2 5900
extendable
ip nat outside source static tcp 81.81.81.224 5903 10.241.151.3 5900
extendable
ip nat outside source static tcp 81.81.81.224 5904 10.241.151.4 5900
extendable
ip nat outside source static tcp 81.81.81.224 5905 10.241.151.5 5900
extendable
!
ip access-list extended NAT-togodo
remark NAT togodo
remark SDM_ACL Category=2
remark IPSec Rule
deny ip 10.241.151.0 0.0.0.255 10.217.100.0 0.0.0.255
remark IPSec Rule
deny ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
permit ip 10.241.151.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 81.81.81.218 log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.217.100.0 0.0.0.255 10.241.151.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
access-list 101 permit udp host 81.81.81.216 any eq non500-isakmp
access-list 101 permit udp host 81.81.81.216 any eq isakmp
access-list 101 permit esp host 81.81.81.216 any
access-list 101 permit ahp host 81.81.81.216 any
access-list 101 remark Auto generated by SDM for NTP (123) 192.93.2.20
access-list 101 permit udp host 192.93.2.20 eq ntp host 81.81.81.224 eq ntp
access-list 101 permit ahp host 81.81.81.216 host 81.81.81.224
access-list 101 permit esp host 81.81.81.216 host 81.81.81.224
access-list 101 permit udp host 81.81.81.216 host 81.81.81.224 eq isakmp
access-list 101 permit udp host 81.81.81.216 host 81.81.81.224 eq
non500-isakmp
access-list 101 permit ahp host 81.171.158.190 host 81.81.81.224
access-list 101 permit esp host 81.171.158.190 host 81.81.81.224
access-list 101 permit udp host 81.171.158.190 host 81.81.81.224 eq isakmp
access-list 101 permit udp host 81.171.158.190 host 81.81.81.224 eq
non500-isakmp
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.217.0.0 0.0.255.255 10.241.151.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.217.100.0 0.0.0.255 10.241.150.0 0.0.0.255
access-list 101 permit udp host 81.171.158.190 any eq non500-isakmp
access-list 101 permit udp host 81.171.158.190 any eq isakmp
access-list 101 permit esp host 81.171.158.190 any
access-list 101 permit ahp host 81.171.158.190 any
access-list 101 remark Auto generated by SDM for NTP (123) 192.93.2.20
access-list 101 permit udp host 192.93.2.20 eq ntp any eq ntp
access-list 101 permit udp host 80.80.80.1 eq domain any
access-list 101 remark telnet routeur depuis Internet
access-list 101 permit tcp any host 81.81.81.224 eq telnet
access-list 101 remark ping routeur depuis Internet
access-list 101 permit icmp any host 81.81.81.224
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit ip any any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any range 5900 5905 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.241.151.0 0.0.0.255 10.241.16.0 0.0.15.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.241.151.0 0.0.0.255 10.217.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address NAT-togodo
!
route-map SDM_RMAP_2 permit 1
match ip address NAT-togodo
!
!
control-plane
!
banner login ^CVous etes connecte au routeur company de Gentilly.
Acces reserve au personnel autorise.
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp server 192.93.2.20 source Dialer0 prefer
end

---

and then on the 1721 side :

---
!
! Last configuration change at 06:58:14 PCTime Tue Aug 30 2005 by aradmin
! NVRAM config last updated at 12:06:35 PCTime Mon Aug 29 2005 by aradmin
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname company-fr
!
logging queue-limit 100
logging buffered 51200 warnings
!
username aradmin privilege 15 secret 5 $1$CZCt$0xqhM4wPDwcr2fEnbDQzm0
username RaphaelVanney privilege 15 secret 5 $1$tZTu$p/oO90je8QmjtPpbQ4AU81
username pppin password 0 password
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
aaa new-model
!
aaa user profile RaphaelVanney
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 80.80.80.1
!
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name company-siege
pptp tunnel echo 15
pptp flow-control receive-window 5
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp policy 3
authentication pre-share
group 2
crypto isakmp key 0 a1s2d3f4g5 address 81.81.81.224
!
crypto isakmp client configuration group togodo-pptp-clients
dns 10.241.17.2 10.241.17.15
wins 10.241.17.10
pool SDM_POOL_1
save-password
!
!
crypto ipsec transform-set togodoTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set pptp-togodo esp-des esp-md5-hmac
crypto ipsec transform-set UKTransformSet esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel vers Gentilly
set peer 81.81.81.224
set security-association lifetime seconds 86400
set transform-set togodoTransformSet
set pfs group2
match address 100
reverse-route
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM1
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM1.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
description reseau local$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$
ip address 10.241.16.2 255.255.240.0
ip nat inside
speed auto
!
interface Virtual-Template1
ip unnumbered Dialer2
ip nat inside
peer default ip address pool default
ppp authentication ms-chap
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname togodocompany2@xxxxxxxxxxxxxxxxxxx
ppp chap password 0 pbofsa123*
!
interface Dialer2
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname togodocompany@xxxxxxxxxxxxxxxxxxx
ppp chap password 0 pbofsa123*
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.241.15.100 10.241.15.199
ip local pool default 10.241.14.100 10.241.14.199
ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer2
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
ip access-list extended NAT-togodo
remark SDM_ACL Category=2
remark IPSec Rule
deny ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
deny ip any host 10.241.15.100
deny ip any host 10.241.15.101
deny ip any host 10.241.15.102
deny ip any host 10.241.15.103
deny ip any host 10.241.15.104
deny ip any host 10.241.15.105
deny ip any host 10.241.15.106
deny ip any host 10.241.15.107
deny ip any host 10.241.15.108
deny ip any host 10.241.15.109
deny ip any host 10.241.15.110
deny ip any host 10.241.15.111
deny ip any host 10.241.15.112
deny ip any host 10.241.15.113
deny ip any host 10.241.15.114
deny ip any host 10.241.15.115
deny ip any host 10.241.15.116
deny ip any host 10.241.15.117
deny ip any host 10.241.15.118
deny ip any host 10.241.15.119
deny ip any host 10.241.15.120
deny ip any host 10.241.15.121
deny ip any host 10.241.15.122
deny ip any host 10.241.15.123
deny ip any host 10.241.15.124
deny ip any host 10.241.15.125
deny ip any host 10.241.15.126
deny ip any host 10.241.15.127
deny ip any host 10.241.15.128
deny ip any host 10.241.15.129
deny ip any host 10.241.15.130
deny ip any host 10.241.15.131
deny ip any host 10.241.15.132
deny ip any host 10.241.15.133
deny ip any host 10.241.15.134
deny ip any host 10.241.15.135
deny ip any host 10.241.15.136
deny ip any host 10.241.15.137
deny ip any host 10.241.15.138
deny ip any host 10.241.15.139
deny ip any host 10.241.15.140
deny ip any host 10.241.15.141
deny ip any host 10.241.15.142
deny ip any host 10.241.15.143
deny ip any host 10.241.15.144
deny ip any host 10.241.15.145
deny ip any host 10.241.15.146
deny ip any host 10.241.15.147
deny ip any host 10.241.15.148
deny ip any host 10.241.15.149
deny ip any host 10.241.15.150
deny ip any host 10.241.15.151
deny ip any host 10.241.15.152
deny ip any host 10.241.15.153
deny ip any host 10.241.15.154
deny ip any host 10.241.15.155
deny ip any host 10.241.15.156
deny ip any host 10.241.15.157
deny ip any host 10.241.15.158
deny ip any host 10.241.15.159
deny ip any host 10.241.15.160
deny ip any host 10.241.15.161
deny ip any host 10.241.15.162
deny ip any host 10.241.15.163
deny ip any host 10.241.15.164
deny ip any host 10.241.15.165
deny ip any host 10.241.15.166
deny ip any host 10.241.15.167
deny ip any host 10.241.15.168
deny ip any host 10.241.15.169
deny ip any host 10.241.15.170
deny ip any host 10.241.15.171
deny ip any host 10.241.15.172
deny ip any host 10.241.15.173
deny ip any host 10.241.15.174
deny ip any host 10.241.15.175
deny ip any host 10.241.15.176
deny ip any host 10.241.15.177
deny ip any host 10.241.15.178
deny ip any host 10.241.15.179
deny ip any host 10.241.15.180
deny ip any host 10.241.15.181
deny ip any host 10.241.15.182
deny ip any host 10.241.15.183
deny ip any host 10.241.15.184
deny ip any host 10.241.15.185
deny ip any host 10.241.15.186
deny ip any host 10.241.15.187
deny ip any host 10.241.15.188
deny ip any host 10.241.15.189
deny ip any host 10.241.15.190
deny ip any host 10.241.15.191
deny ip any host 10.241.15.192
deny ip any host 10.241.15.193
deny ip any host 10.241.15.194
deny ip any host 10.241.15.195
deny ip any host 10.241.15.196
deny ip any host 10.241.15.197
deny ip any host 10.241.15.198
deny ip any host 10.241.15.199
deny ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
permit ip 10.241.16.0 0.0.15.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.241.16.0 0.0.15.255 10.241.151.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.241.16.0 0.0.15.255 10.217.100.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address NAT-togodo
!
radius-server authorization permit missing Service-Type
banner login ^C
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
session-timeout 35791
transport input telnet ssh
line vty 5 15
session-timeout 35791
transport input telnet ssh
!
ntp clock-period 17179985
ntp server 138.195.130.71 source Dialer2 prefer
!
end

---

Thanks for any ideas,

R.


.

Relevant Pages

  • Re: Help on logging on my Soho 77
    ... access-list 100 deny ip 10.0.0.0 0.255.255.255 any ... access-list 100 deny ip host 85.33.96.176 host 85.33.96.176 ... access-list 100 permit ip host 89.186.68.6 any ...
    (comp.dcom.sys.cisco)
  • crypto engine failed to allocate a connection ID for negotiation from
    ... access-list 1 permit 192.168.10.0 0.0.0.255 ... access-list 100 deny ip 217.111.111.111 0.0.0.3 any ... access-list 100 deny ip host 255.255.255.255 any ...
    (comp.dcom.sys.cisco)
  • RE: Filtering new KaZaa!!!
    ... access-list 100 deny ip any host 217.116.227.249 ... But the client still connect to the server... ...
    (Security-Basics)
  • Filtering new KaZaa!!!
    ... access-list 100 deny ip any host 217.116.227.249 ... request was made from the port 2210 of my box, ...
    (Security-Basics)
  • Re: VPN Client ---> 1841 router
    ... access-list 1 permit 10.163.1.0 0.0.0.255 ... access-list 100 deny ip host 255.255.255.255 any ... access-list 100 deny ip 127.0.0.0 0.255.255.255 any ...
    (comp.dcom.sys.cisco)