site-to-site VPN tunnel

Unanswered Question

We ceated a vpn tunnel between our headoffice and a remote branch. We can ping the outside interface of the remote branch pix and vice versa. The problem we have now is we can't ping the remote branch's subnet.

Here are the configs we're using on the headoffice firewall.


crypto ipsec transform-set Fiji esp-3des esp-sha-hmac

crypto map bsp002 7 ipsec-isakmp

crypto map bsp002 7 match address 170

crypto map bsp002 7 set pfs group2

crypto map bsp002 7 set peer 202.165.201.226

crypto map bsp002 7 set transform-set Fiji

crypto map bsp002 7 set security-association lifetime seconds 3600 kilobytes 8000


isakmp key ******** address 202.165.201.226 netmask 255.255.255.255 no-xauth no-config-mode


access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0


It's the same network. We only want the remote branch subnet to have access to the headoffice subnet.

What are missing out? Pls help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
acomiskey Tue, 03/20/2007 - 05:36
User Badges:
  • Green, 3000 points or more

Do you have a nat exemption for the vpn? Something similar to...


access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


Kamal Malhotra Tue, 03/20/2007 - 08:05
User Badges:
  • Cisco Employee,

Hi,


First of all, does the tunnel come up? If not, did you try to capture the debugs and what do they say? Could you post the complete configs of the headoffice and branchoffice firewalls?


Regards,


Kamal

acomiskey Tue, 03/20/2007 - 18:23
User Badges:
  • Green, 3000 points or more

With the above config, the outside interface of remote branch pix would not be part of the tunnel. The fact you can ping it only proves you have connectivity to it.

acomiskey Tue, 03/20/2007 - 18:21
User Badges:
  • Green, 3000 points or more

There are 2 acl's in a lan to lan tunnel. One, which you have already specified, is the crypto acl which defines traffic destined for the tunnel. The second, is nat exemption, which will exempt that traffic from the nat process. In most cases it is identical to the crypto acl.


Headoffice:


access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (crypto acl)


access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound


RemoteOffice:


access-list 170 permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (crypto acl)


access-list inside_nat0_outbound permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound

acomiskey Wed, 03/21/2007 - 05:38
User Badges:
  • Green, 3000 points or more

The nat 0 will only apply to the traffic which is specified in the corresponding acl. For instance, traffic from 192.168.32.0 to 192.168.45.0 and vice versa.

ggilbert Wed, 03/21/2007 - 05:41
User Badges:
  • Cisco Employee,

It might if you have other Nat exemption ACL and if you implement what Adam said, then it might break the old ones. If you have anything configured for NAT exemption on the old ones.


If you already have a NAT exemption ACL, please add the networks just like Adam said to the existing NAT exemption.


Hope this helps.


Thanks

Gilbert

acomiskey Thu, 03/22/2007 - 05:49
User Badges:
  • Green, 3000 points or more

Yes, you can add to the existing acl. But what gilbert was getting at is you DO NOT want to create a second nat 0 acl and attempt to do another nat (inside) 0 command.

ggilbert Thu, 03/22/2007 - 05:53
User Badges:
  • Cisco Employee,

Thanks for clarifying Adam :)


Cheers

Gilbert

acomiskey Thu, 03/22/2007 - 06:17
User Badges:
  • Green, 3000 points or more

No problem. 5 points for pointing that out.

Actions

This Discussion