Configuration help for 2nd lan to lan vpn link

Answered Question

Hello,


I have successfully configured a lan to lan vpn link between two offices. I am attempting to add another link to a 3rd office from my home office but am having some trouble. I have attached my configuration and am hoping someone can help me fix my problem. Right now I have a working vpn to 172.16.0.0/24 network and am trying to set up the link to 172.16.3.0/24 as well. To the new vpn connection I can ping the outside interfaces but can't ping anything internally.


Thanks for your time and help,

Jason



Correct Answer by Richard Burts about 8 years 11 months ago

Jason


There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:

crypto map clientmap 1 ipsec-isakmp

match address 100

crypto map clientmap 5 ipsec-isakmp

match address 100

But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:

crypto map clientmap 5 ipsec-isakmp

match address 101

no access-list 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255


This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Sun, 08/24/2008 - 12:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:

crypto map clientmap 1 ipsec-isakmp

match address 100

crypto map clientmap 5 ipsec-isakmp

match address 100

But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:

crypto map clientmap 5 ipsec-isakmp

match address 101

no access-list 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255


This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.


HTH


Rick

Richard Burts Mon, 08/25/2008 - 07:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


When you have not done it before it is frequently difficult to recognize some of the dependencies, such as the need to have separate access lists to identify traffic for each peer. I am glad that my suggestion was able to help you resolve your issue. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read an issue and can know that a response did lead to a resolution of the issue.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion