Looked at your other two routers. You can remove the ip route 192.... from the Mexico 2 router, II-LRM. That router has one connection to the rest of the world. The default 0.0.0.0 etc route will take care of all.
You can get the Amsterdam router to talk to 172.29.10.0 via the VPN In Amsterdam add to access-list 100 access-list 100 permit ip 172.29.30.0 0.0.0.255 172.29.10.0 0.0.0.255 The above is the list of addresses permitted to traverse the VPN. And add to access-list 101 access-list 101 deny ip 172.29.30.0 0.0.0.255 172.29.10.0 0.0.0.255 The above is the list of connections that should not be NATed. In the US add the reciprocal. Add to access-list 100 access-list 100 permit ip 172.29.10.0 0.0.0.255 172.29.30.0 0.0.0.255 and to access-list 101 access-list 101 deny ip 172.29.10.0 0.0.0.255 172.29.30.0 0.0.0.255 In Amsterdam I see no need for the "ip route 172.29.40.0 255.255.255.0 192.168.100.15" You are not permitting traffic to 172.29.40.0 over the VPN. The 172.29.x.x addresses will not route over the Internet - nor will 192.168.x.x You might tell us what is intended. We can try for a solution. The crypto map statement in the US router "set peer a.b.c.d" does not match with the fragment address you have for the outside address of the Amsterdam router. Is the VPN working? I see no need for the first lines of access-list 100 in either Amsterdam or in the US. There are no internal addresses using 64.x.x.x in the US. All routers have an enable password - not an enable secret. I hope you cut the enable secrets when you posted the configs. Enable secret passwords have strong encryption. Enable passwords can be easily broken. You can take the encrypted value of an enable password or a con or vty password (the latter two assuming that you have the "service password-encryption" line in your config) and paste it into the following site. It will immediately give you the unencrypted value. http://www.securitystats.com/tools/ciscocrack.asp You might want to do some study on security. > -----Original Message----- > From: CTM CTM [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 19, 2002 10:17 AM > To: [EMAIL PROTECTED] > Subject: RE: Two Interfaces = Extremely Slow Ping [7:53266] > > > Hi, > > I removed the "ip http server" from all routers. > I also removed the "ip nat inside" from the first Mexico router. > So far so good. > But when I did a "no ip route 192.168.100.0 255.255.255.0 > Serial0/0:0.300" I > immediatly lost connection to the router and am now trying to > reach someone > down there to reboot it > not good, as it should have been issued for 192.168.100.20 > > So still working on clean up for that box. > > In Amsterdam: > I could really, really use a VPN connection between 172.29.30.0 and > 172.29.10.0 subnets so will look at that while I wait for the > Mexico router > to be rebooted. > > (yes, somewhat over my head here, but shall persevere) > > > Daniel Cotts wrote: > > > > You have a static NAT translation for 192.168.100.20 on both > > routers. I'd > > suggest removing it from the Mexican router. > > > > You haven't said whether or not you are doing standard or > > extended pings. > > Whether you are pinging from a host or the routers. > > Do a traceroute when the pings are fast and when they are slow. > > See where > > the packets are going. You might want to do a "sh ip route" in > > each > > condition. > > Some small housekeeping: > > Mexican router: > > I see no need for the "ip nat inside" on the Serial0/0:0.300 > > subinterface. > > Nothing from that interface meets the conditions of access-list > > 101. > > You can remove the "ip policy route-map nonat from > > subinterfaces 0/0:0.300 > > and 0/0:0.301 . There is no route-map in the config. > > You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have > > 192.168.100.0 > > on F0/1 in SC-SAN. You still have a NAT static in Mexico for the > > 192.168.100.20 host. Might be good to remove that static > > mapping and remove > > the unused address completely from the interface to avoid > > confusion. > > "ip http server" can be a security hole. > > > > SC-SAN router: > > VPN connection to 172.29.30.0 uses access list 100 to define > > allowed > > traffic. I don't understand the first line of that list. Does > > it refer to > > the NAT pool of addresses? If so, how do they work inside? If > > not, who are > > they? Who is really allowed access to 172.29.30.0? > > Again the ip policy and route-map statements aren't doing > > anything. There is > > an issue that could use a route-map. The users in 172.29.30.0 > > can't reach > > the statically NATed servers 192.168.100.20 & 135 over the VPN. > > There is a > > way to solve that problem (if it is a problem.) > > Keep us posted on your progress. I would like to know the > > solution. > > > > > -----Original Message----- > > > From: Sammi Dog [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, September 13, 2002 5:23 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266] > > > > > > > > > I would appreciate any and all comments. > > > > > > >From: "Chris McNally" > >Hi all, > >We have one router in > > > the U.S. and > > > > one in Mexico. They are connected to each >other via frame > > > relay and they > > > > each have their own internet portal. >When the Mexico > > router is > > > > disconnected from its internet interface the ping >returns > > > between U.S. > > > > are averaging 70ms but when they plug in their internet > > > >side the ping > > > > returns shoot above 500ms and often hit 800. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53780&t=53266 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
