What happens when you map to a share on the remote PC or you can try remotepcname or x.x.x.x (input the ip of the remote pc) in the address bar to view shares on that PC.
On a different note does your DSL require PPPoe? I am trying to setup a similar setup but haven’t found the config info for the PPPoe config on the router. can you forward me a copy of one of your router-DSL configs?

if you have the routers under Smart net just go to the cisco tac site and ask they usually get back pretty fast.
otherwise I think you start at the Config t and then crypto from there I am not sure her is the ifo I recieved from them for a normal VPN connection

Create a group that will be used to specify the Windows Internet Naming Service (WINS) and Domain Naming Service (DNS) server addresses to the client, along with the pre-shared key for authentication.
Example:
crypto isakmp client configuration group 3000client key cisco123 dns 14.1.1.10 wins 14.1.1.20 domain cisco.com pool ippool

You can used the current ip pool that you have for the current VPN group. I did notice that you dont typ the whole line its just up toclient configuration and then you add the domain and dns through the command lines
hope this helps alittle

1. Router is not under smartnet contract. I therefore will have to figure this out myself and if not then end up purchasing one.

2. When I map a network drive, it does show up in windows explorer as a drive. However, when this drive is clicked to show its content, it keeps spinning wheel and finally comes back with a message that drive is not accessible or something like that.

I have to believe that many must have implemented this solution and it works for them. I need help with a pointer as to what possibly wrong I could be doing.

4. Regarding the servers. I can access the web site behing the router just fine. However, when trying to access the web site from outside it is not sending the data out. Is there some access-list that needs to be setup to allow this?

5. The following configuration for DSL connectivity was produced with SDM that comes with the IOS with the router.

interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx xx.xx.xx.xx
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXX
crypto map SDM_CMAP_1

Regards,

-ketan

Your question – Is there some access-list that needs to be setup to allow this? – demonstrats clearly you need some help.

I am not saying this in a mean way, I am saying this because it is a fact. If you are not familiar with Access Lists, and knowing to open port 80 on an inbound ACL bound to the outside interface of the router, then you clearly do not want to be configuring someones network by yourself.

That being said, keep in mind that if you can connect via the VPN and see the mapped drive, and there is no disconnect icon on it, then you don’t need to worry about connectivity issues. Even name resolution as has been mentioned must already be functioning for you to map the drive in the first place.

It sounds like sharing may be incorrectly set, or a timeout issue is occuring, but seriously, you need a consultant.

Good luck

Chris Weber
Layer9corp.com

Let me post my Cisco’s router configuration file, if anyone can notice something unusual or wrong:

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxx
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.123-8.T8.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxx
!
username xxxx privilege 15 secret 5 xxxx
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server SBC_DNS1_Address SBC_DNS2_Address
default-router 192.168.1.1
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server SBC_DNS1_Address
ip name-server SBC_DNS2_Address
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key PreShared_KEY address RemoteSITEAddress
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toRemoteSITEAddress
set peer RemoteSITEAddress
set security-association lifetime seconds 86340
set security-association idle-time 86340
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address SBC_PROVIDED_GATEWAY_IP_ADD 255.255.255.248
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xx password 7 xx
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 192.168.1.4 PUBLIC_IP_FOR_SERVER route-map nonat
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip host 192.168.1.4 192.168.0.0 0.0.0.255
access-list 102 permit ip host 192.168.1.4 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip SBC_PROVIDED_PUBLIC_IP_ADDR 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host PUBLIC_IP_FOR_SERVER
access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER
access-list 104 permit udp host SBC_DNS1 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit udp host SBC_DNS2 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit ahp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit esp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq isakmp
access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq non500-isakmp
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS echo-reply
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS time-exceeded
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map nonat permit 1
match ip address 102
!
!
!
!
control-plane
!
!
!
!
!
Some commands for VTY (Not relevant for the issue)
!
scheduler allocate 20000 1000
!
end

Network local to this router is 192.168.1.1 255.255.255.0

Traffic to encrypt and pass across the VPN Tunnel = match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 (what subnet is this going to? You should define the subnet if possible)

Traffic to filter with access-list 103
interface FastEthernet0/0
ip access-group 103 in (This will filter traffic from the private 192.168.1.0 network to the router) Is this needed? You mainly want to filter inbound at the dialer 0 interface.
access-list 103 deny ip SBC_PROVIDED_PUBLIC_IP_ADDR 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

Traffic to filter with access-list 104
interface Dialer0
ip access-group 104 in
access-list 104 permit udp any host PUBLIC_IP_FOR_SERVER
access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER eq http *need to add http if it is a website server otherwise all ports to the server will be open*
access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER eq https *need to add https if it is a website server otherwise all ports to the server will be open*
access-list 104 permit ahp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit esp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq isakmp
access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq non500-isakmp
access-list 104 permit ip 192.168.0.0 0.0.0.255 *The remote private subnet should be defined here 192.168.1.0 0.0.0.255
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS echo-reply
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS time-exceeded
access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS unreachable

Is this required by SBC?
access-list 104 permit udp host SBC_DNS1 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS
access-list 104 permit udp host SBC_DNS2 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS

These are private IP networks they wouldn?t be on the public side of the router which is what access-list 104 applies to
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any

?
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source static 192.168.1.4 PUBLIC_IP_FOR_SERVER route-map nonat
route-map nonat permit 1
match ip address 102
access-list 102 deny ip host 192.168.1.4 192.168.0.0 0.0.0.255
access-list 102 permit ip host 192.168.1.4 any

Don?t see a reference for this Access-list
access-list 1 permit 192.168.1.0 0.0.0.255

Ketan,

Can you do a little ASCII art to display what the network looks like. In particular, I’m wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall.

You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn’t be sending the packets back to the correct router…

Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it’s ADSL, it would explain our problem since the upload speeds are much lower than the download speeds.

Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site.

If everything there is correct, put a sniffer on the link to see what’s going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

If you have 12.1.6 and higher, you can use one of the solutions in this artcile:
http://www.cisco.com/warp/public/105/56.html

Two other potentially helpful starting points:
POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Easy VPN setup on 2811:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html

Hope this helps,

Wayne

Thanks for analyzing the configuration file.

1. Traffic to encrypt and pass across the VPN Tunnel = match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
(what subnet is this going to? You should define the subnet if possible)

I believe 192.168.1.0 0.0.0.255 translates to local = 192.168.1.0 255.255.255.0 and 192.168.0.0 0.0.0.255 translates to remote = 192.168.0.0 255.255.255.0

2. Don?t see a reference for this Access-list
access-list 1 permit 192.168.1.0 0.0.0.255

This access list is not used and I probably should take it out.

3.
Briefly, the access-list’s overall objective is as follows:

access-list 1 – Not assigned and not used. I should take it out
access-list 100 – Allowing VPN Traffic with “crypto map SDM_CMAP_1″
access-list 101 – For Dynamic NAT
access-list 102 – For Static NAT to support servers such as web server etc
access-list 103 – Firewall for inward bound traffic
access-list 104 – Firewall for outward bound traffic

The behaviour is identical even if I drop access-list 103 and 104 entirely i.e. remove the firewall for keeping the problem defination simple.

I thank you again for taking the time to look at my issue.

Regards,

-ketan

Thanks for analyzing the configuration file.

1. Traffic to encrypt and pass across the VPN Tunnel = match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
(what subnet is this going to? You should define the subnet if possible)

I believe 192.168.1.0 0.0.0.255 translates to local = 192.168.1.0 255.255.255.0 and 192.168.0.0 0.0.0.255 translates to remote = 192.168.0.0 255.255.255.0

2. Don?t see a reference for this Access-list
access-list 1 permit 192.168.1.0 0.0.0.255

This access list is not used and I probably should take it out.

3.
Briefly, the access-list’s overall objective is as follows:

access-list 1 – Not assigned and not used. I should take it out
access-list 100 – Allowing VPN Traffic with “crypto map SDM_CMAP_1″
access-list 101 – For Dynamic NAT
access-list 102 – For Static NAT to support servers such as web server etc
access-list 103 – Firewall for inward bound traffic
access-list 104 – Firewall for outward bound traffic

The behaviour is identical even if I drop access-list 103 and 104 entirely i.e. remove the firewall for keeping the problem defination simple.

I thank you again for taking the time to look at my issue.

Regards,

-ketan

Thanks Wayne.

Can you do a little ASCII art to display what the network looks like. In particular, I’m wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall.

a)
Local

Web Server/Email Server/FTP Server
192.168.1.4
|
Local LAN——–Router———– ——Router———–Remote LAN
| | | |
192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24

b) I believe we do not have proxy server at the moment.

c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped)

You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn’t be sending the packets back to the correct router…

a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151.
The .144 and .151 are not usable.
The Gateway IP is .150
The Public IP for the servers is – .145

Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it’s ADSL, it would explain our problem since the upload speeds are much lower than the download speeds.

a) The connection is ADSL (384Kb Up/1.5Mb Down).

Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site.

a) I am using dynamic routing for all the PC’s except the one that is for web server/email server/ftp server for which I am using static routing.

If everything there is correct, put a sniffer on the link to see what’s going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

If you have 12.1.6 and higher, you can use one of the solutions in this artcile:
http://www.cisco.com/warp/public/105/56.html

Two other potentially helpful starting points:
POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Easy VPN setup on 2811:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html

a) I will review this pointers. However, how do we do sniffer?

Thank you very much again, Wayne.

Regards,

-ketan

Thanks Wayne.

Can you do a little ASCII art to display what the network looks like. In particular, I’m wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall.

a)
Local

Web Server/Email Server/FTP Server
192.168.1.4
|
Local LAN——–Router———– ——Router———–Remote LAN
| | | |
192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24

b) I believe we do not have proxy server at the moment.

c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped)

You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn’t be sending the packets back to the correct router…

a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151.
The .144 and .151 are not usable.
The Gateway IP is .150
The Public IP for the servers is – .145

Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it’s ADSL, it would explain our problem since the upload speeds are much lower than the download speeds.

a) The connection is ADSL (384Kb Up/1.5Mb Down).

Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site.

a) I am using dynamic routing for all the PC’s except the one that is for web server/email server/ftp server for which I am using static routing.

If everything there is correct, put a sniffer on the link to see what’s going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

If you have 12.1.6 and higher, you can use one of the solutions in this artcile:
http://www.cisco.com/warp/public/105/56.html

Two other potentially helpful starting points:
POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Easy VPN setup on 2811:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html

a) I will review this pointers. However, how do we do sniffer?

Thank you very much again, Wayne.

Regards,

-ketan

Thanks Wayne.

Can you do a little ASCII art to display what the network looks like. In particular, I’m wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall.

a)
Local

Web Server/Email Server/FTP Server
192.168.1.4
|
Local LAN——–Router———– ——Router———–Remote LAN
| | | |
192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24

b) I believe we do not have proxy server at the moment.

c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped)

You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn’t be sending the packets back to the correct router…

a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151.
The .144 and .151 are not usable.
The Gateway IP is .150
The Public IP for the servers is – .145

Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it’s ADSL, it would explain our problem since the upload speeds are much lower than the download speeds.

a) The connection is ADSL (384Kb Up/1.5Mb Down).

Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site.

a) I am using dynamic routing for all the PC’s except the one that is for web server/email server/ftp server for which I am using static routing.

If everything there is correct, put a sniffer on the link to see what’s going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

If you have 12.1.6 and higher, you can use one of the solutions in this artcile:
http://www.cisco.com/warp/public/105/56.html

Two other potentially helpful starting points:
POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Easy VPN setup on 2811:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html

a) I will review this pointers.

However, how do we do sniffer?

Thank you very much again, Wayne.

Regards,

-ketan

Thanks Wayne.

Can you do a little ASCII art to display what the network looks like. In particular, I’m wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall.

a)
Local

Web Server/Email Server/FTP Server
192.168.1.4
|
Local LAN——–Router———– ——Router———–Remote LAN
| | | |
192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24

b) I believe we do not have proxy server at the moment.

c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped)

You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn’t be sending the packets back to the correct router…

a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151.
The .144 and .151 are not usable.
The Gateway IP is .150
The Public IP for the servers is – .145

Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it’s ADSL, it would explain our problem since the upload speeds are much lower than the download speeds.

a) The connection is ADSL (384Kb Up/1.5Mb Down).

Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site.

a) I am using dynamic routing for all the PC’s except the one that is for web server/email server/ftp server for which I am using static routing.

If everything there is correct, put a sniffer on the link to see what’s going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

If you have 12.1.6 and higher, you can use one of the solutions in this artcile:
http://www.cisco.com/warp/public/105/56.html

Two other potentially helpful starting points:
POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Easy VPN setup on 2811:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html

a) I will review this pointers.

However, how do we do sniffer?

Thank you very much again, Wayne.

Regards,

-ketan

It looks really odd for just a little SDSL config

I just skimmed over it but it looks like your default gateway is a Dial on Demand routing, you are NATTING on the outside instead of the inside and apparently according to your remark statments on your ACLs you have another Firewall on your perimeter.

Also you seem to be running CBAC, which is a mess to begin with. I never did like the CBAC configs on the 2600 series routers. They were never powerful enough to deal with the massive inspection lists and there was always problems with it.

Personally, and this is just a personal opinion and others will vary, but the PIX or your Firewall is a much better place to build your IPSEC Tunnel and perform your NAT translations.

If I get time I will look at your config closer.

Chris Weber
Layer9corp.com

I suspect you may be barking up the wrong tree.

A mapped drive under windows will often show blank when the share permissions and the file system permissions don’t match, or there is an authentication issue on the server end.

Bob

Ketan

I got your private message however it kinda made the configuration seem more odd. If indeed you are using Netopias and Linksys to terminate the tunnel ends then the config of the Cisco does not seem to make sense.

It is possible that this is a timeout issue as I suggested, but I would also pay real close attention to Bob’s suggestion. He is exactly right about mismatched permissions, and this could also be your problem.

I assumed you have permissions set correctly since you were focusing on the routing, and my answers are geared towards your connectivity and filtering concerns, but check out Bobs suggestion as well.

You also may want to pull out the Cisco device and try making the connections without the Tunnel. Just open IP all the way to the two systems on each side, and see if the problem is still there.

There is a lot in this picture that does not make sense however, like the ATM, DDR and Inverse NAT on the 2811, etc. Try it without a tunnel first, that will let you know if its a tunnel config or an authentication or permissions issue.

Chris Weber
Layer9corp.com