Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

871 ISR Site to Site

I was tasked on building a Site to Site with a partner vendor and after exchanging information such as peer address, PSK, etc, I started to build my end of the tunnel.  The way the topology is setup is that I have an 871 ISR behind a broadband business class router that currently is allowing unrestricted access out to the internet.  After configuring the tunnel, I can't seem to ping my peer address when I apply access-list 100 to the int fa4 (outside WAN) but I can ping when access-list 102 is applied.  Am I doing something wrong?  Would be great if someone out there can give me some feedback on this Below is the commands I implemented on the router:  Thanks in advanced guys!

My Internal =  172.28.3.1/24

My Public   =  50.243.50.102

Peer Internal =  206.53.227.250

Peer Public   =  206.53.227.24

access-list 100 permit ip 172.28.3.0 0.0.0.255 206.53.227.240 0.0.0.15

access-list 100 deny ip any any

ip nat inside source list 100 in interface FastEthernet4 overload

crypto isakmp policy 10

encryption 3des

hash sha

group 2

crypto isakmp key <Key> address 206.53.227.24

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer 206.53.227.24

set transform-set myset

match address 100

interface FastEthernet4

ip nat outside

crypto map mymap

1 REPLY
VIP Purple

Re: 871 ISR Site to Site

The crypto-ACL that defines the traffic that should be sent through VPN is not ment to be applied to an interface. The Interface-ACL should include anything you had before in the ACL and the IPSec-Traffic between the two peers (IP/50 and UDP/500).

Here is an example for the interface-ACLs: https://supportforums.cisco.com/docs/DOC-38580


Sent from Cisco Technical Support iPad App

120
Views
0
Helpful
1
Replies
CreatePlease to create content