UC520 Site-to-Site VPN

Unanswered Question
May 25th, 2009
User Badges:

Hi there,


We are trying to connect to UC520 devices to eachother with an site-to-site ipsec VPN. The one site has LAN range 192.168.2.x and the other site has LAN range 192.168.1.x We followed many articles but the result is that the tunnel will not get up and there is no traffic flow between both sites. Enclosed i have the configuration of the tunnels. What could be the problem ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Tue, 05/26/2009 - 03:22
User Badges:
  • Silver, 250 points or more

Your issue, I think, has to do with NAT.

you need to disable NAT at both location,


something like this:


site A: access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip nat inside source list 100 inteface F0/0 overload


site B: access-list 100 deny ip192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


ip nat inside source list 100 inteface F0/0 overload


once you've done that, do "clear ip nat trans *" and try again. It will work this time. The purpose of access-list 100 is to tell both site A and site B, when communicating with each other, do NOT NAT,





mamkreutz01 Tue, 05/26/2009 - 11:07
User Badges:

Thanks for the reply. I put the extra lines in the configuration but the tunnel is not coming up at all. When i do sh crypto isakmp sa the device shows me nothing and when i do sh crypto ipsec sa there is no connectivity. What could be the problem ?

Actions

This Discussion