×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can I cross two VPNs on two interfaces?

Answered Question

Please see the attached pdf diagram.


I can successfully pass traffic from 192.168.60.0 to the DMZ and Inside networks.

I can successfully pass traffic from 192.168.20.0 to the DMZ and Inside networks.


Problem – I cannot pass traffic from either network across both VPNs. For example, I cannot go from 192.168.60.0 to 192.168.20.0, or vice versa.



Any ideas as to why this won't work?


Thanks in advance.



Correct Answer by jackko about 11 years 9 months ago

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.


e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255


access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255



on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0


access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0



for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0


access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0



the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jackko Tue, 11/08/2005 - 15:57
User Badges:
  • Gold, 750 points or more

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.


e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255


access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255



on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0


access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0



for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0


access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0



the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

Actions

This Discussion