VPN Tunnel comes up, but traffic will not travel

Answered Question

Can't understand why this is not working. I perform extended pings but will not ping at all when before it did. I did make some changes since a new T1 was installed. ANyone take a quick peek at this config....

------------------------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key MYKEY address YYY.YYY.YYY.YYY

!

crypto ipsec transform-set TUNNELSET esp-3des esp-md5-hmac

!

crypto map TUNNEL 1 ipsec-isakmp

set peer YYY.YYY.YYY.YYY

set transform-set TUNNELSET

match address BIZ-hq

!

interface Loopback1

ip address XXX.XXX.XXX.9 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map TUNNEL

crypto ipsec df-bit clear

!

interface FastEthernet0/0/3

description LOCAL_LAN_INTERFACE

!

interface Serial0/1/0

ip address XXX.XXX.XXX.2 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation ppp

!

interface Vlan1

ip address 192.168.150.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1

!

ip nat pool T1 XXX.XXX.XXX.9 XXX.XXX.XXX.9 netmask 255.255.255.248

ip nat inside source route-map nonat pool T1 overload

!

ip access-list extended DONOTNAT

deny ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255

deny ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.150.0 0.0.0.255 any

ip access-list extended BIZ-hq

permit ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255

permit ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 20 permit NN.NN.162.160 0.0.0.31

access-list 20 permit NN.NN.197.192 0.0.0.31

access-list 20 permit 192.168.150.0 0.0.0.255

access-list 20 permit 192.168.9.0 0.0.0.255

!

route-map nonat permit 10

match ip address DONOTNAT



Correct Answer by oabduo983 about 10 years 2 months ago

You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...


Yes you can terminate on the loopback interface the command to do this is:

crypto map map-name local-address interface-id


where you interface id will be your loopback interface...


for more information on this command, please refer to the following link:


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7b6.html#wp1018189


please rate this post if it helps!


Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
oabduo983 Mon, 05/14/2007 - 10:28
User Badges:
  • Bronze, 100 points or more

You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...


Yes you can terminate on the loopback interface the command to do this is:

crypto map map-name local-address interface-id


where you interface id will be your loopback interface...


for more information on this command, please refer to the following link:


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7b6.html#wp1018189


please rate this post if it helps!


Regards,

Actions

This Discussion