I've set up a vpn router to router between two Cisco 1720 routers. There will be a third router brought on line soon.
The routers are set up the same and they have the internal FastEthernet interface and an external WIC Ethernet card.
I was having trouble getting traffic though the IPSec tunnel until the access list I use on the External Wic Ethernet card included permit statements for the traffic comming from the other subnet.
I imagine I have something set up wrong. What seems to be happening is the vpn tunnel is ending at my external WIC card. The router is decrypting the information and then placing it back on the external interface. I then need to add the statement that allows the traffic from the other subnet through the external interface!?!? This seems it would open me up to attack from anyone who spoofed my internal IP addresses from the other subnett.
My main question is about the last statement on access-list 103. I would not have thought I needed this statement.
I'm new at this and any help would be appreciated.
The diagram of the networks is like this but flows in both directions.
I think your problem is with the access-list. Start with only two access-list statement for now, one for the tunnel and the other for the nat.
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
When you add the third site, just include the access-list permit statement for the tunnel and rearrange the nat access-list making sure that the permit statement ends the 102 list. From experience I will advice you use route-map statement for your nat. Example;
ip nat inside source route-map you interface Ethernet0 overload
route-map nonat permit 10
match ip address 102
You have to be careful with applying access-list on the external interface because you use this for your nat. You have to the IP you want to deny and you cannot use deny any. Always list the deny statement and end with permit. Advice, try to simplify your configuration. If you are using applying static route, I dont see any need for the RIP.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :