08-23-2008 10:12 AM - edited 02-21-2020 03:54 PM
Hello,
I have successfully configured a lan to lan vpn link between two offices. I am attempting to add another link to a 3rd office from my home office but am having some trouble. I have attached my configuration and am hoping someone can help me fix my problem. Right now I have a working vpn to 172.16.0.0/24 network and am trying to set up the link to 172.16.3.0/24 as well. To the new vpn connection I can ping the outside interfaces but can't ping anything internally.
Thanks for your time and help,
Jason
Solved! Go to Solution.
08-24-2008 12:25 PM
Jason
There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:
crypto map clientmap 1 ipsec-isakmp
match address 100
crypto map clientmap 5 ipsec-isakmp
match address 100
But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:
crypto map clientmap 5 ipsec-isakmp
match address 101
no access-list 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255
This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.
HTH
Rick
08-24-2008 12:25 PM
Jason
There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:
crypto map clientmap 1 ipsec-isakmp
match address 100
crypto map clientmap 5 ipsec-isakmp
match address 100
But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:
crypto map clientmap 5 ipsec-isakmp
match address 101
no access-list 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255
This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.
HTH
Rick
08-25-2008 06:19 AM
Thank you for your help. I could not find any configuration examples to show me how to do this one. I figured I was just missing one little step but couldn't figure out what it was.
Thanks Again,
Jason
08-25-2008 07:54 AM
Jason
When you have not done it before it is frequently difficult to recognize some of the dependencies, such as the need to have separate access lists to identify traffic for each peer. I am glad that my suggestion was able to help you resolve your issue. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read an issue and can know that a response did lead to a resolution of the issue.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide