Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

800 Series site to site vpn?

Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.

When I do a show crypto session it all looks correct but the connection is "down"

I am not 100% sure about my crypto transform

"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.

I have attached the configs.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: 800 Series site to site vpn?

You need to change the config from :-

ip nat inside source list 1 interface FE4 overload

to

ip nat inside source route-map nonat interface FastEthernet4 overload

HTH>

9 REPLIES

Re: 800 Series site to site vpn?

You are missing your no-nat, Currently both routers are natting the traffic, so it will not match your crypto access-list.

define your no-nat.

HTH>

New Member

Re: 800 Series site to site vpn?

Hello, thanks for the response.

I added

"route-map nonat permit 10

match ip address Crypto-list"

to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.

Silver

Re: 800 Series site to site vpn?

Can you post the latest configs from both side?

Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.

HTH

Saju

New Member

Re: 800 Series site to site vpn?

I added an additional acl (120) and changed the route-map to point to the 120. On the "route-map nonat permit 10" what does the 10 mean?

Also I do not have a loopback interface is that required?

Re: 800 Series site to site vpn?

OK firstly - your config is not complete, you have not applied it to the nat statement for the FastEtherent - it will not work until you apply it.

The "permit 10" - is just a sequence number, you can have multiple matches in a route-map.

Loopback is not required.

HTH>

New Member

Re: 800 Series site to site vpn?

I am confused about applying the nat?

I have "ip nat outside" on the FE4

I have "ip nat inside" on VLan1, bvi1

and the "ip nat inside source list 1 interface FE4 overload"

Re: 800 Series site to site vpn?

You need to change the config from :-

ip nat inside source list 1 interface FE4 overload

to

ip nat inside source route-map nonat interface FastEthernet4 overload

HTH>

New Member

Re: 800 Series site to site vpn?

yes that fixed it. I was also able to add in my config for a laptop to router vpn using the cisco client.

Thanks for all the help.

Re: 800 Series site to site vpn?

np - glad to help.

168
Views
0
Helpful
9
Replies