Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
4
Replies

VPN created, but cannot ping

qianlei273
Level 1
Level 1

‎06-20-2007 05:18 AM - edited ‎03-05-2019 04:50 PM

we use two CISCO router 1841 to link two LAN,

the LAN1 router ,

inside ip 192.168.100.100

outside ip 10.3.13.100, gateway 10.3.13.254

the LAN2 router

inside ip 192.168.1.60

outside ip 10.3.38.100, gateway 10.3.38.1

now we create the VPN as the document.

use debug crypto isakmp, IKE phase 2 is ok.

use show crypto session, VPN is active.

use show crypto engine connections active. only have encrypt packet,donot have decrypt data.

Now the problem is external host cannot ping each other.

It is very strange, can anyone help?

Labels:
0 Helpful
4 Replies 4

qianlei273
Level 1
Level 1

‎06-20-2007 05:30 AM

LAN1 router config

crypto isakmp policy 50

hash md5

authentication pre-share

crypto isakmp key XXXX address 10.3.38.100

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 10.3.38.100

set transform-set myset

match address 106

!

!

interface FastEthernet0/0

ip address 192.168.100.100 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.13.100 255.255.255.0

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

!

ip route 10.3.38.0 255.255.255.0 10.3.13.254

ip route 192.168.1.0 255.255.255.0 10.3.38.100

!

access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

0 Helpful

qianlei273
Level 1
Level 1
In response to qianlei273

‎06-20-2007 05:31 AM

LAN2 router config

crypto isakmp policy 50

hash md5

authentication pre-share

crypto isakmp key XXXX address 10.3.13.100

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 10.3.13.100

set transform-set myset

match address 106

!

!

interface FastEthernet0/0

ip address 192.168.1.60 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.38.100 255.255.255.0

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

!

ip route 10.3.13.0 255.255.255.0 10.3.38.1

ip route 192.168.100.0 255.255.255.0 10.3.13.100

!

access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to qianlei273

‎06-20-2007 12:17 PM

Can you reconfigure the static route(s) as follows and test.

Router 1:

ip route 192.168.1.0 255.255.255.0 10.3.13.254

Router 2:

ip route 192.168.100.0 255.255.255.0 10.3.38.1

Moreover, why is the crypto map not applied to the outside interface?

HTH

Sundar

0 Helpful

qianlei273
Level 1
Level 1
In response to sundar.palaniappan

‎06-20-2007 11:59 PM

Ok,

we need goto site to do the test tommorrow.

outside interface have crypto map.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card