cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
541
Views
0
Helpful
4
Replies

Site to Multi Site VPN thru NAT

Jackong
Level 1
Level 1

i have already configured site to multi Site VPN in my packet tracer and always only 1 site can connect successfully and the other site cannot continue here is the result from isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

212.76.68.1     172.21.6.1      MM_SA_SETUP          0    0 ACTIVE

109.63.62.1     172.21.6.1      QM_IDLE           1050    0 ACTIVE

>>>>> configuration of may Main Offic Router

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

!

crypto isakmp key cisco address 79.95.25.1

crypto isakmp key cisco address 109.63.62.1

crypto isakmp key cisco address 212.76.68.1

!

!

crypto ipsec transform-set VPN_Trans esp-aes esp-sha-hmac

!

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set peer 212.76.68.1

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 172.20.21.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.21.6.1 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map VPN_Map

!

interface Vlan1

no ip address

shutdown

!

router rip

!

ip nat inside source list NAT1 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

!

ip access-list extended NAT_Group

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended NAT1

deny ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended NAT

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

ip access-list extended NAT2

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

!

no cdp run

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

4 Replies 4

when you have multiple peers in the same crypto map, they act as backups for each other; if one answers and establishes an SA, the router doesn't try the others...

each site-to-site should have its own crypto map entry :

crypto map VPN_Map 1 ipsec-isakmp

crypto map VPN_Map 2 ipsec-isakmp...

Patrick

Dear Mr. Patrick,

thank you for your reply.

so you advises for the Core Office i must have separate crypto map for each site? like this sample below?

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 2 ipsec-isakmp

set peer 212.76.68.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 3 ipsec-isakmp

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

same crypto map different entries, yes.

you can only apply 1 crypto map per interface...

you need a different access-list for each entry also.

example core = 10.1.1.0/24

site 1 = 10.1.31.0/24

site 2 = 10.1.32.0/24

acl VPN1 permit 10.1.1.0/24 10.1.31.0/24 applied to corresponding map entry

acl VPN2 permit 10.1.1.0/24 10.1.32.0/24 applied to the other map entry...

Patrick

okay i will create separate ACL for each mp...but my only problem is i am only using 1 interface for WAN in may core office....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: