IPSec VPN between two LANs

Unanswered Question
Sep 23rd, 2010


I have got Cisco ASA 5540 at Headqurters and Cisco 857 ADSL router at Branch Office with internet up.  I have created a site to site vpn workplace ASA and branch router and its wokring fine.

Please see the attached snap (scenario 1) for referral.

Presently I have assigned Public IPs to Remote Lan PC( Branch Office). Now I am planning to give them private range (lets say

It will be just like lan to lan vpn.

What I had ito add in my configuration on ASA and Router to make this possible.I am not pretty good in VPN connectivity. So I need experts help and advice.

If something not clear please let me know.

Thanking in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Abdul Samir Shaikh Thu, 09/23/2010 - 10:33

hi prapanch,

Thanks for quick response

Firstly,please ignore my previous attachment because it has got some ip mistakes.

here is my router config

Current configuration : 3748 bytes


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname Hospital



boot system flash c850-advsecurityk9-mz.124-15.T14.bin



no logging buffered

no logging console

enable secret 5 $1$I7fD$hFcavQfsBAttAU3kdsCyo0


no aaa new-model


crypto pki trustpoint TP-self-signed-514007288

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-514007288

revocation-check none

rsakeypair TP-self-signed-514007288



crypto pki certificate chain TP-self-signed-514007288

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 35313430 30373238 38301E17 0D303230 35313430 35303431

  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34303037

  32383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  A2EABB56 14D234BE 7889BC4D A55C7A99 0461AB52 AEEB74F9 4240866D CFE99361

  093C1C41 5225FD37 41266629 C9758902 F7A17B16 0982CA9A B9FA3AAF 40A0C258

  A55E8EEC 183249CF 3E0A4F1A E6C044D5 25735261 5D38C06A 421411A2 4FCD8644

  D834C59F A57E9391 A09D8AAB 57C18AEA 804FCB47 0EC6F632 5E0647A6 4C82EA29

  02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D

  11040D30 0B820944 722E4661 6B656568 301F0603 551D2304 18301680 1443A6AE

  ABA34B03 84DE5AA5 AA18D747 5899D8BA 3F301D06 03551D0E 04160414 43A6AEAB

  A34B0384 DE5AA5AA 18D74758 99D8BA3F 300D0609 2A864886 F70D0101 04050003

  8181002F A141EFFE E7E015D4 1BC5D116 EEF1F6FA 2956E23E FE4A8A0D FF3293D9

  3E9E9C09 8ABBD4BD 08947278 8276FB24 4D42E45F 877029F1 CEC1423E E38CDBA6

  08855E81 41D6281B 3DE69A80 913DC48F DCB05F81 151F4BB2 3F69DD5C 49F7BDF2

  0E7E2A02 C10A9906 BF3E2AA3 61D967A2 7A1C4377 9B598D48 4CA26916 FC9D251C 8CE796


dot11 syslog



ip cef

ip name-server 212.93.x.x

ip name-server 212.93.x.x




username admin privilege 15 password 7 070C2E414B4D0D041C170218



crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 3600



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to11.11.11.14

set peer

set transform-set ESP-3DES-SHA

match address 100



log config







interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

  pppoe-client dial-pool-number 1


dsl operating-mode auto


interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3


interface Vlan1

ip address

ip virtual-reassembly

ip tcp adjust-mss 1452


interface Dialer1

ip address negotiated

ip mtu 1492

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin


ppp chap password 7 XXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXX

crypto map SDM_CMAP_1


ip forward-protocol nd

ip route Dialer1


ip http server

ip http authentication local

ip http secure-server


access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip





line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password 7 1306181F0E48102B20212127

login local


scheduler max-task-time 5000



ASA config

access-list Outside_1_cryptomap line 1 extended permit ip

access-list inside_nat0_outbound line 6 extended permit ip

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

   pre-shared-key **********

   isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set  peer ( Dynamic IP from ISP)

crypto map Outside_map 1 set  transform-set  ESP-3DES-SHA

Diego Armando C... Thu, 09/23/2010 - 14:18

In your router you have

access-list 100 permit ip

change it for

access-list 100 permit ip (new network)

In the ASA

ASA config

access-list Outside_1_cryptomap line 1 extended permit ip (new network)

access-list inside_nat0_outbound line 6 extended permit ip (new network)

I suppose that you are going to be using NAT for the rest of the traffic right? Then you will need to do a NO-NAT int the router as well. Do the nat exception  with a route-map.

Diego Armando C... Thu, 09/23/2010 - 14:22

Check the link that Naryanan added. The router is doing a nat exception with the help of a route-map

Abdul Samir Shaikh Fri, 09/24/2010 - 04:38

Thank you experts for your help and great information.

I will notify if there is any issue faced.

One more i had to point out here is that Do I have to add any route on the ASA.

Abdul Samir Shaikh Fri, 09/24/2010 - 05:34

Hi Experts,

I have a defualt router on the router

ip router Dialer 1

So do i had to configure any route for this case.

Jennifer Halim Fri, 09/24/2010 - 05:37

No, you do not need any extra route on the router. The default route on the router will suffice.

Hope that helps.

Abdul Samir Shaikh Fri, 09/24/2010 - 06:00

So I dont have to put any route on the router pointing to ASA outside


Please clarify,


Jennifer Halim Fri, 09/24/2010 - 06:05

Yes, you are absolutely right. There is no need for any other extra routes on the router.

Abdul Samir Shaikh Fri, 09/24/2010 - 11:50

Hi All,

Here, one question arises in my mind

Well the PC's ( local network) behind the ASA will be able to access Remote Network (behind branch office router) ?

Abdul Samir Shaikh Mon, 09/27/2010 - 03:38

Hello Experts

Please see the attached configuration of Site to Site VPN between Router and ASA.

But I cannot ping and reach the internal network behind the ASA from Branch Office and vice versa

VPN tunnel is established (fyi)

Please experts can you help whats wrong in the config.

Jennifer Halim Mon, 09/27/2010 - 03:59

The router configuration is incorrect.

ACL 100 which is the crypto ACL needs to mirror image the ASA Outside_1_cryptomap ACL.

Router ACL 100 should say:

access-list 100 permit permit

Router ACL 101 for the NAT statement should say:

access-list 101 deny ip

access-list 101 permit ip any

Hope that helps.

Abdul Samir Shaikh Sat, 10/02/2010 - 08:27

Hi Jennifer,

Sorry for delay in responding back.I did as you said but still i cannot ping the branch pc ( from my pc (

Modified Router config (fyi)

interface Vlan1
ip address
ip nat inside

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside

access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip
access-list 101 permit ip any
route-map SDM_RMAP_1 permit 1
match ip address 101

Please can you advice.

Jennifer Halim Sat, 10/02/2010 - 18:38

A few things to check:

1) Is the VPN tunnel up? can you please share the output of "show cry isa sa" and "show cry ipsec sa"

2) Can you check if the branch PC has any personal firewall that normally could block incoming connections.

Abdul Samir Shaikh Sun, 10/03/2010 - 12:38

hi jennifer,

yes,vpn tunnel is up

i have check personl firewall on the pc's but nothing happened.

Jennifer Halim Sun, 10/03/2010 - 17:35

Can you please share the output of the following after you try to access it:

show cry isa sa

show cry ipsec sa

BTW, can you ping


This Discussion