Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need a hand

Can anyone let me know why this is not working. Here is what I am attempting to do. I want to connect site A to B so that they can browse each others networks via a VPN connection. Presently, NAT is running on both sides with an internet connection for regular surfing, and I am able to ping from Tunnel1 to Tunnel1 and loopbacks but not from Ethernet to Ethernet. In addition, I am trying to exclude traffic going on the private network from the NAT process via policy routing on both sides.

Am I missing the route-map nonat pemrit 10 command?

Are the access-lists incorrect?

Unfortunaelty, I am at a loss.

This site A

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco10 address 24.151.xx.xx

!

!

crypto ipsec transform-set 10cisco esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map cisco local-address Loopback0

crypto map cisco 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set 10cisco

match address 105

!

!

!

!

interface Loopback0

description Static Public

ip address 24.151.xxx.xxx 255.255.255.255

no ip mroute-cache

!

interface Tunnel1

ip address 192.168.10.2 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

tunnel source Loopback0

tunnel destination 24.151.xxx.xxx

crypto map cisco

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface cable-modem0

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem boot admin 2

cable-modem boot oper 5

!

ip default-gateway 10.24.0.1

ip nat inside source list 1 interface Loopback0 overload

ip nat inside source list 122 interface Tunnel1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.29.1.1

no ip http server

no ip http cable-monitor

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 deny ip 192.168.0.0 0.0.0.255 any

access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xx

access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 122 permit ip 192.168.0.0 0.0.0.255 any

Here is site B

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco10 address 24.151.xx.xxx

!

!

crypto ipsec transform-set 10cisco esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map cisco local-address Loopback0

crypto map cisco 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set 10cisco

match address 105

!

!

!

!

!

interface Loopback0

description Public Static

ip address 24.151.xx.xx 255.255.255.255

no ip route-cache

no ip mroute-cache

!

interface Tunnel1

ip address 192.168.10.1 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

tunnel source Loopback0

tunnel destination 24.151.xx.xxx

crypto map cisco

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface cable-modem0

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem boot admin 2

cable-modem boot oper 5

!

ip default-gateway 10.29.0.1

ip nat inside source list 1 interface Loopback0 overload

ip nat inside source list 122 interface Tunnel1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.29.1.1

no ip http server

no ip http cable-monitor

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 deny ip 192.168.1.0 0.0.0.255 any

access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xxx

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

I do not understand why the traffic will not route. Any help would be greatly appreciated.

Thank you

Harris C

1 REPLY
New Member

Re: Need a hand

Hi,

Have you tried first without the IPSEC command to check if it's working.

What about this default route ? Does you packet cross the interface tunnel or not ? What tells show crypto isakmp sa and show crypto ipsec sa ? Counters are increasing ?

136
Views
0
Helpful
1
Replies