RE: IPExpert R&S v9 Lab13.2 steps12-13

From: Robert Cuello (smdmokay@yahoo.com)
Date: Mon May 14 2007 - 22:29:09 ART

• Next message: Brian Dennis: "Re: CCIE R/S *******Got my number********"
• Previous message: Antonio Soares: "3550 vs 3560 L2/L3 Mac-Address"
• Maybe in reply to: Robert Cuello: "RE: IPExpert R&S v9 Lab13.2 steps12-13"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Look at the proctor guide pag 272.
   
  Cisco Definition:
  Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
  Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.
   
  So, Since we are not runing a routing protocol % R2 and R4 as per the workbook (Step 6, page 103), we do not need it. I took it out and still the same results.
   
  I left it in there to play with turning the routing protocal up and see what networks I would be able to see.
   
  Thanks
   
   
  Scott Morris <smorris@ipexpert.com> wrote:
      Not having the SA is a problem.
   
  Why do you have reverse route in there?
   
         
  Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE #153, CISSP, et al.
  CCSI/JNCI-M/JNCI-J
  IPexpert VP - Curriculum Development
  IPexpert Sr. Technical Instructor
  smorris@ipexpert.com
  http://www.ipexpert.com
   

    
---------------------------------
  From: Robert Cuello [mailto:smdmokay@yahoo.com]
Sent: Monday, May 14, 2007 8:38 PM
To: swm@emanon.com; smorris@ipexpert.com; 'Cisco certification'
Subject: RE: IPExpert R&S v9 Lab13.2 steps12-13

  
  One more thing I notice. When I do a:
   
  R4# sh crypto ipsec sa
   
  I do not get a:
  1- Local Ident
  2- Inbound esp sas
  3-outbound esp sas
   
  Thanks again

Robert Cuello <smdmokay@yahoo.com> wrote:
  Hello all,

I'm stuck on steps 12-13 on the workbook. I have all the req config but I cannot ping across, even though R4 can see R2.

This is what I have:

2851-R2#
access-list 101 permit ip any host 150.50.24.4
access-list 101 permit ip any host 200.0.0.4
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ipexpert address 150.50.24.4
!
!
crypto ipsec transform-set R2R4 esp-des esp-sha-hmac
!
crypto map R2R4 1 ipsec-isakmp
set peer 150.50.24.4
set security-association lifetime seconds 1800
set transform-set R2R4
match address 101
reverse-route
!
!
interface Serial0/1/0.4 point-to-point
description FR to R4
ip address 150.50.24.2 255.255.255.0
ip ospf network point-to-point
ip ospf priority 100
frame-relay interface-dlci 104
crypto map R2R4

2851-R2#ping 150.50.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
2851-R2#ping 200.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

2851-R2#sh cdp neig de

On R4 I have:

2851-R4#

access-list 101 permit ip any host 150.50.24.2
access-list 101 permit ip any host 200.0.0.2
access-list 101 permit ip host 150.50.24.4 any
access-list 101 permit ip host 200.0.0.4 any
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ipexpert address 150.50.24.2
!
!
crypto ipsec transform-set R2R4 esp-des esp-sha-hmac
!
crypto map R2R4 1 ipsec-isakmp
set peer 150.50.24.2
set security-association lifetime seconds 1800
set transform-set R2R4
match address 101
reverse-route

interface Serial0/0/0.4 point-to-point
description FR to R2
ip address 150.50.24.4 255.255.255.0
ip ospf network point-to-point
ip ospf priority 0
frame-relay interface-dlci 401
crypto map R2R4

2851-R4#ping 200.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
2851-R4#ping 150.50.24.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
2851-R4#
2851-R4#sh cdp neighbors detail
-------------------------
Device ID: 2851-R2
Entry address(es):
IP address: 150.50.24.2
Platform: Cisco 2851, Capabilities: Router Switch IGMP
Interface: Serial0/0/0.4, Port ID (outgoing port): Serial0/1/0.4
Holdtime : 176 sec
Version :
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 25-Jan-07 12:50 by prod_rel_team
advertisement version: 2
VTP Management Domain: ''

If I take the access-list 101 out of R4 and try to ping, I get this message on R2:

*May 15 00:11:50.583: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /150.50.24.2, src_addr= 150.50.24.4 1

Thanks for your help in advance.

---------------------------------
Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.

• Next message: Brian Dennis: "Re: CCIE R/S *******Got my number********"
• Previous message: Antonio Soares: "3550 vs 3560 L2/L3 Mac-Address"
• Maybe in reply to: Robert Cuello: "RE: IPExpert R&S v9 Lab13.2 steps12-13"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:21 ART