Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with Site to Site VPN

I am trying to create a site to site VPN using a cisco 2901 and Linksys router.

I have the VPN configured and connected and I can ping gateway to gateway. However, from the Cisco I can't ping any of the devices beyond the gateway.

Example, from the cisco I can ping 192.168.5.254 (gateway IP address) source gig 0/1 and it works great.

However if I ping from the cisco 192.168.5.50 (end user PC) source gig 0/1 it doesn't work.

I have created a client VPN and that works perfectly.

Below is my config. Any help is greatly appreciated because I am stuck.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

!

crypto isakmp policy 3

encr 3des

group 2

crypto isakmp key 1234567890 address 1.2.3.4

crypto isakmp keepalive 30 30

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group iptel

key 1234567890

pool SDM_POOL_1

acl remote

!

crypto isakmp client configuration group shortel

key 1234567890

pool SDM_POOL_2

acl shortel

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set Linksys-IPSEC esp-3des esp-sha-hmac

!

!

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

!

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to Derek Linksys

set peer 174.52.250.198

set transform-set Linksys-IPSEC

match address shortel

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly in

ip policy route-map vpn

!

interface Embedded-Service-Engine0/0

ip address 10.10.10.5 255.255.255.0

!

interface GigabitEthernet0/0

ip address 4.3.2.1 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

ip address 10.24.62.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1.62

encapsulation dot1Q 62

ip address 10.94.62.65 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.111

encapsulation dot1Q 111

ip address 192.168.17.1 255.255.255.0 secondary

ip address 192.168.15.1 255.255.255.0 secondary

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local pool SDM_POOL_1 172.16.2.50 172.16.2.99

ip local pool SDM_POOL_2 172.16.3.208

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source static tcp 10.24.62.100 3389 interface GigabitEthernet0/0 33898

ip nat inside source static tcp 10.24.62.101 3389 interface GigabitEthernet0/0 33899

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.24.62.207 80 4.3.2.1 80 extendable

ip nat inside source static tcp 10.24.62.201 444 4.3.2.1 444 extendable

ip nat inside source static tcp 10.94.62.67 9080 4.3.2.1 9080 extendable

ip nat inside source static tcp 10.94.62.67 9082 4.3.2.1 9082 extendable

ip nat inside source static tcp 10.24.62.212 9080 4.3.2.1 80 extendable

ip nat inside source static tcp 10.24.62.212 9082 4.3.2.1 9082 extendable

ip nat inside source static tcp 10.24.62.204 20 4.3.2.1 20 extendable

ip nat inside source static tcp 10.24.62.204 21 4.3.2.1 21 extendable

ip nat inside source static tcp 10.24.62.204 22 4.3.2.1 22 extendable

ip nat inside source static tcp 10.24.62.204 80 4.3.2.1 80 extendable

ip nat inside source static tcp 10.24.62.204 443 4.3.2.1 443 extendable

ip nat inside source static 10.24.62.204 4.3.2.1 extendable

ip nat outside source static 4.3.2.1 10.94.62.65 extendable

ip route 0.0.0.0 0.0.0.0 4.3.2.1

ip route 10.8.8.0 255.255.255.0 Loopback0

ip route 172.16.2.0 255.255.255.0 Loopback0

ip route 192.168.5.0 255.255.255.0 Loopback0

!

ip access-list extended NAT

remark SDM_ACL Catergory=2

deny   ip 10.94.62.0 0.0.0.255 172.16.2.0 0.0.0.255

deny   ip 10.94.62.0 0.0.0.255 172.16.3.0 0.0.0.255

deny   ip 10.94.62.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 10.24.62.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 10.94.62.0 0.0.0.255 10.8.8.0 0.0.0.255

deny   ip 10.24.62.0 0.0.0.255 10.8.8.0 0.0.0.255

deny   ip 172.16.2.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

deny   ip 10.1.1.0 0.0.0.255 172.16.3.0 0.0.0.255

deny   ip 192.168.15.0 0.0.0.255 172.16.3.0 0.0.0.255

deny   ip 192.168.15.0 0.0.0.255 172.16.2.0 0.0.0.255

deny   ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 192.168.17.0 0.0.0.255 172.16.2.0 0.0.0.255

deny   ip 192.168.17.0 0.0.0.255 172.16.3.0 0.0.0.255

deny   ip 192.168.17.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 10.24.62.0 0.0.0.255 172.16.2.0 0.0.0.255

deny   ip 10.24.62.0 0.0.0.255 172.16.3.0 0.0.0.255

permit ip any any

ip access-list extended PointtoPoint

ip access-list extended remote

remark SDM_ACL Category=4

permit ip 10.94.62.0 0.0.0.255 any

permit ip 10.24.62.0 0.0.0.255 any

permit ip 10.1.1.0 0.0.0.255 any

permit ip 192.168.17.0 0.0.0.255 any

permit ip 192.168.15.0 0.0.0.255 any

ip access-list extended shortel

remark SDM_ACL Category=4

permit ip 10.94.62.0 0.0.0.255 any

permit ip 10.24.62.0 0.0.0.255 any

permit ip 10.1.1.0 0.0.0.255 any

permit ip 192.168.17.0 0.0.0.255 any

permit ip 192.168.15.0 0.0.0.255 any

!

access-list 150 permit ip host 1.1.1.1 172.16.2.0 0.0.0.255

access-list 150 permit ip host 1.1.1.1 192.168.5.0 0.0.0.255

access-list 150 permit ip host 1.1.1.1 172.16.3.0 0.0.0.255

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address NAT

!

route-map vpn permit 10

match ip address 150

set ip default next-hop 4.3.2.2

Everyone's tags (3)
1 REPLY

Problem with Site to Site VPN

Hi Jon

you can have a look with the "show crypto" commands if the packets are transfered or if there are errors.

Have you tried it with a PC from the Gi0/1 to reach gateway and other office pcs?

Are the Gateways in the clients set proper?

HTH

651
Views
0
Helpful
1
Replies
CreatePlease to create content