Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can I cross two VPNs on two interfaces?

Please see the attached pdf diagram.

I can successfully pass traffic from 192.168.60.0 to the DMZ and Inside networks.

I can successfully pass traffic from 192.168.20.0 to the DMZ and Inside networks.

Problem – I cannot pass traffic from either network across both VPNs. For example, I cannot go from 192.168.60.0 to 192.168.20.0, or vice versa.

Any ideas as to why this won't work?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Can I cross two VPNs on two interfaces?

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.

e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0

the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

1 REPLY
Gold

Re: Can I cross two VPNs on two interfaces?

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.

e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0

the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

96
Views
0
Helpful
1
Replies
CreatePlease to create content