Solved: Configuration help for 2nd lan to lan vpn link

jmarsh · ‎08-23-2008

Hello,

I have successfully configured a lan to lan vpn link between two offices. I am attempting to add another link to a 3rd office from my home office but am having some trouble. I have attached my configuration and am hoping someone can help me fix my problem. Right now I have a working vpn to 172.16.0.0/24 network and am trying to set up the link to 172.16.3.0/24 as well. To the new vpn connection I can ping the outside interfaces but can't ping anything internally.

Thanks for your time and help,

Jason

Richard Burts · ‎08-24-2008

Jason

There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:

crypto map clientmap 1 ipsec-isakmp

match address 100

crypto map clientmap 5 ipsec-isakmp

match address 100

But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:

crypto map clientmap 5 ipsec-isakmp

match address 101

no access-list 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255

This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎08-24-2008

Jason

There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:

crypto map clientmap 1 ipsec-isakmp

match address 100

crypto map clientmap 5 ipsec-isakmp

match address 100

But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:

crypto map clientmap 5 ipsec-isakmp

match address 101

no access-list 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255

This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.

HTH

Rick

HTH

Rick

jmarsh · ‎08-25-2008

Thank you for your help. I could not find any configuration examples to show me how to do this one. I figured I was just missing one little step but couldn't figure out what it was.

Thanks Again,

Jason

Richard Burts · ‎08-25-2008

Jason

When you have not done it before it is frequently difficult to recognize some of the dependencies, such as the need to have separate access lists to identify traffic for each peer. I am glad that my suggestion was able to help you resolve your issue. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read an issue and can know that a response did lead to a resolution of the issue.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick