Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN site to site config help

Hello,

I have two sites i have configured as below:

VOIP -> Router -> Gateway (VSAT).

See config (question afterwards)

Current configuration : 2030 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname DODO

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$l1OE$DHIRTxdvpti8f1AzCosgd0

!

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

ip dhcp ping packets 0

!

!

ip domain name dodoeng.com

ip name-server 62.173.37.3

ip name-server 80.247.148.142

ip name-server 62.173.34.222

ip name-server 81.199.3.7

ip name-server 217.117.0.38

ip name-server 81.199.3.18

ip cef

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

interface Tunnel0

ip address 172.20.1.1 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

!

interface Loopback0

no ip address

!

interface Ethernet0

description DODO LAN

ip address 10.234.84.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

!

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 "modem ip"

ip route 10.234.85.0 255.255.255.0 Tunnel0

ip http server

ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

!

ip dns server

!

!

access-list 1 permit 10.234.84.0 0.0.0.255

access-list 110 deny tcp any host 10.234.84.207 eq www

access-list 110 permit ip any any

access-list 128 deny tcp 10.234.84.0 0.0.0.255 host 10.234.84.214 eq www

access-list 128 permit ip any any

snmp-server enable traps tty

snmp-server manager

!

!

control-plane

!

!

line con 0

password 7 094F471A1A0A

login

line aux 0

password 7 104D000A0618

login

line vty 0 4

password 7 104D000A0618

login

line vty 5 15

password 7 060506324F41

login

!

end

i am unable to ping the network 10.234.85.0 on the other site (this is the essence of the VPN, using VOIP to make call between sites).

Is the tunnel ip relevant (i met this on the previous config). What do i use as the loopback ip?

The bottom line is, i need to get these two sites on thru VPN, while they also access the internet. Internet is accessible with this config though.

Router 1721.

Help

Thanks

Daniel

2 REPLIES

Re: VPN site to site config help

So you want to setup GRE tunnel between two sites.

Can you ping the remote tunnel interface -- 172.20.1.2?

If yes, make sure you have static route for the tunnel traffic configured on both sides.

Community Member

Re: VPN site to site config help

Hi, your config should look like this:

FIRST SIDE:some output omitted

!

version 12.3

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 ******* address "other side IP add"

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set TSET

!

!

interface Tunnel0

ip address 172.20.1.1 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

!

interface Ethernet0

description DODO LAN

ip address 10.234.84.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

!

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 "modem ip"

!

ip route 10.234.85.0 255.255.255.0 172.20.1.2

!

SECOND SIDE: some output omitted

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 ******* address "other side IP add"

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set TSET

!

!

!

!

!

interface Tunnel0

ip address 172.20.1.2 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

!

interface Loopback0

no ip address

!

interface Ethernet0

description DODO LAN

ip address 10.234.85.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

!

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

ip route 0.0.0.0 0.0.0.0 "modem ip"

!

ip route 10.234.84.0 255.255.255.0 172.20.1.1

!

221
Views
0
Helpful
2
Replies
CreatePlease to create content