Site-to-Site VPN

Unanswered Question
Feb 5th, 2007

Hi All,

I have been working this out for the past week.

Hope maybe someone can help me configure this site-to-site vpn connection

btw, i'm practically a new newbie i just been following the examples here at cisco but still can't make it to work

Appreciate the help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 02/05/2007 - 05:00

Hi

Could you tell me which VPN you are trying to create. Looking at your configs PixConfig_05-02-07-forum.txt does not have a crypto map entry for the peer 210.187.121.219.

Also you shouldn't post config details which include the ISAKMP keys as these are your main level of security. Most people just blank out the key and often the public IP addresses in their config.

Jon

cpadillatycofs Mon, 02/05/2007 - 05:09

vpn 20 for peer 210.187.121.219

i want to connect it with this

vpn 20 for peer 203.125.255.162

i thought i have removed the sensitive info, i'll delete my config files on my post

Jon Marshall Mon, 02/05/2007 - 05:33

On PixConfig

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 set peer 210.187.121.219

crypto map vpn 20 set transform set ESP-3DES-MD5

crypto map vpn 20 match address "access-list name"

You need to create the access-list that matches the tyco-sing access-list on PixConfig2 but swap the subnets around in the access-list.

On PixConfig2

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address tyco-sing ** see below

crypto map vpn 20 set peer 203.125.255.162

crypto map vpn 20 set transform-set TFSSET

***Do you want to NAT the clients between the sites or not. ?

At present your clients on PixConfig2 ie any client on the 10.47.1.0 subnet is Natted to 210.187.121.219. If you intend to do this then you will need to change the access-list tyco-sing on PixConfig2 to

access-list tyco-sing permit ip host 210.187.121.219 10.47.15.0 255.255.255.0

access-list tyco-sing permit ip host 210.187.121.219 10.47.12.0 255.255.255.0

access-list tyco-sing permit ip host 210.187.121.219 10.47.14.0 255.255.255.0

Let me know what you want to do about Natting if you know.

HTH

Jon

cpadillatycofs Mon, 02/05/2007 - 06:23

Hi Jon,

Thanks for your help there are a lot of improvements now

These are the changes made

PIX1

access-list nonat permit ip host 10.47.14.24 10.47.1.0 255.255.255.0

access-list TycoMalaysia permit ip host 10.47.14.24 10.47.1.0 255.255.255.0

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address TycoMalaysia

crypto map vpn 20 set peer 210.187.121.219

crypto map vpn 20 set transform-set ESP-3DES-MD5

PIX2

access-list nonat permit ip 10.47.1.0 255.255.255.0 10.47.14.0 255.255.254.0

access-list tyco-sing permit ip 10.47.1.0 255.255.255.0 10.47.14.0 255.255.254.0

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address tyco-sing

crypto map vpn 20 set peer 203.125.255.162

crypto map vpn 20 set transform-set TFSSET

i'm really not sure about the natting

what i actually want is that from 10.47.14.0 network to be able to access the 10.47.1.0 network using vpn tunnel

we also have this now

tyco-singapore(config)# show crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

210.187.121.219 203.125.255.162 QM_IDLE 0 0

Thanks again for your help

Actions

This Discussion