05-14-2007 04:36 AM
Can't understand why this is not working. I perform extended pings but will not ping at all when before it did. I did make some changes since a new T1 was installed. ANyone take a quick peek at this config....
------------------------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MYKEY address YYY.YYY.YYY.YYY
!
crypto ipsec transform-set TUNNELSET esp-3des esp-md5-hmac
!
crypto map TUNNEL 1 ipsec-isakmp
set peer YYY.YYY.YYY.YYY
set transform-set TUNNELSET
match address BIZ-hq
!
interface Loopback1
ip address XXX.XXX.XXX.9 255.255.255.248
ip nat outside
ip virtual-reassembly
crypto map TUNNEL
crypto ipsec df-bit clear
!
interface FastEthernet0/0/3
description LOCAL_LAN_INTERFACE
!
interface Serial0/1/0
ip address XXX.XXX.XXX.2 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
!
interface Vlan1
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1
!
ip nat pool T1 XXX.XXX.XXX.9 XXX.XXX.XXX.9 netmask 255.255.255.248
ip nat inside source route-map nonat pool T1 overload
!
ip access-list extended DONOTNAT
deny ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255
deny ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.150.0 0.0.0.255 any
ip access-list extended BIZ-hq
permit ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255
permit ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 20 permit NN.NN.162.160 0.0.0.31
access-list 20 permit NN.NN.197.192 0.0.0.31
access-list 20 permit 192.168.150.0 0.0.0.255
access-list 20 permit 192.168.9.0 0.0.0.255
!
route-map nonat permit 10
match ip address DONOTNAT
Solved! Go to Solution.
05-14-2007 10:28 AM
You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...
Yes you can terminate on the loopback interface the command to do this is:
crypto map map-name local-address interface-id
where you interface id will be your loopback interface...
for more information on this command, please refer to the following link:
please rate this post if it helps!
Regards,
05-14-2007 05:58 AM
The VPN tunnel used to work until I moved to a different ISP which I'm using a loopback as the tunnel endpoint. Is this even possible?
05-14-2007 10:28 AM
You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...
Yes you can terminate on the loopback interface the command to do this is:
crypto map map-name local-address interface-id
where you interface id will be your loopback interface...
for more information on this command, please refer to the following link:
please rate this post if it helps!
Regards,
05-14-2007 11:38 AM
If found out about this command a few hours ago. Thank you though.
05-22-2007 05:57 AM
After adding the line as recommended, it changed nothing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide