Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

871 ISR Site to Site

I was tasked on building a Site to Site with a partner vendor and after exchanging information such as peer address, PSK, etc, I started to build my end of the tunnel.  The way the topology is setup is that I have an 871 ISR behind a broadband business class router that currently is allowing unrestricted access out to the internet.  After configuring the tunnel, I can't seem to ping my peer address when I apply access-list 100 to the int fa4 (outside WAN) but I can ping when access-list 102 is applied.  Am I doing something wrong?  Would be great if someone out there can give me some feedback on this Below is the commands I implemented on the router:  Thanks in advanced guys!

My Internal =

My Public   =

Peer Internal =

Peer Public   =

access-list 100 permit ip

access-list 100 deny ip any any

ip nat inside source list 100 in interface FastEthernet4 overload

crypto isakmp policy 10

encryption 3des

hash sha

group 2

crypto isakmp key <Key> address

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer

set transform-set myset

match address 100

interface FastEthernet4

ip nat outside

crypto map mymap

VIP Purple

Re: 871 ISR Site to Site

The crypto-ACL that defines the traffic that should be sent through VPN is not ment to be applied to an interface. The Interface-ACL should include anything you had before in the ACL and the IPSec-Traffic between the two peers (IP/50 and UDP/500).

Here is an example for the interface-ACLs:

Sent from Cisco Technical Support iPad App

CreatePlease to create content