Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec LAN-to-LAN (VPN3005 to IOS) Troubleshooting

Hi!

I'm having trouble deploying a LAN-to-LAN VPN/IPSec tunnel between a VPN3005 (v4.7) and a CS1721 IOS router (v 12.3.7). I believe it is a design thing. Both VPN3005 and the CS1721 have several LANs on their local network. What i want to do is for a particular IP network, from the CS1721 side, access Internet trough the VPN30005 (headquarters).

How are the LANs defined both on the VPN3005 and on the CS1721 (see example)?

VPN3005

LAN1 - 10.10.10.0/24

LAN2 - 10.10.20.0/24

PUBLIC IP - 200.200.200.1/30 - example

GW - 200.200.200.2 (Local Internet router)

CS1721

LAN1 - 10.100.10.0/24

LAN2 - 10.100.20.0/24

LAN3 - 192.168.10.0/24

I want that both LAN1 and LAN2 from CS1721 access Internet locally an LAN3 access Internet trough the VPN/IPsec tunnel.

Regards.

  • Other Security Subjects
2 REPLIES
Silver

Re: IPSec LAN-to-LAN (VPN3005 to IOS) Troubleshooting

Document provides an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS. Software and PIX. It is assumed that an attempt to configure IPsec is completed. Refer to Common IPsec Error Messages and Common IPSec Issues for more details

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2301/products_configuration_example09186a0080093f6b.shtml

Gold

Re: IPSec LAN-to-LAN (VPN3005 to IOS) Troubleshooting

on the router:

access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list no_nat deny ip 192.168.10.0 0.0.0.255 any

access-list no_nat permit 10.100.10.0 0.0.0.255 any

access-list no_nat permit 10.100.20.0 0.0.0.255 any

access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list to_be_encrypted permit 192.168.10.0 0.0.0.255 any

on the concentrator, you can mirror the acl as above. i guess you'll also need to configure a default gateway for vpn tunnel.

go configuration > system > ip routing > default gateways, option "tunnel default gateway". the tunnel default gateway is usually an internal router behind the concentrator located in the lan.

96
Views
0
Helpful
2
Replies