Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Multi Site VPN thru NAT

i have already configured site to multi Site VPN in my packet tracer and always only 1 site can connect successfully and the other site cannot continue here is the result from isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

212.76.68.1     172.21.6.1      MM_SA_SETUP          0    0 ACTIVE

109.63.62.1     172.21.6.1      QM_IDLE           1050    0 ACTIVE

>>>>> configuration of may Main Offic Router

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

!

crypto isakmp key cisco address 79.95.25.1

crypto isakmp key cisco address 109.63.62.1

crypto isakmp key cisco address 212.76.68.1

!

!

crypto ipsec transform-set VPN_Trans esp-aes esp-sha-hmac

!

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set peer 212.76.68.1

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 172.20.21.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.21.6.1 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map VPN_Map

!

interface Vlan1

no ip address

shutdown

!

router rip

!

ip nat inside source list NAT1 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

!

ip access-list extended NAT_Group

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended NAT1

deny ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended NAT

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

ip access-list extended NAT2

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

!

no cdp run

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

4 REPLIES

Site to Multi Site VPN thru NAT

when you have multiple peers in the same crypto map, they act as backups for each other; if one answers and establishes an SA, the router doesn't try the others...

each site-to-site should have its own crypto map entry :

crypto map VPN_Map 1 ipsec-isakmp

crypto map VPN_Map 2 ipsec-isakmp...

Patrick

New Member

Site to Multi Site VPN thru NAT

Dear Mr. Patrick,

thank you for your reply.

so you advises for the Core Office i must have separate crypto map for each site? like this sample below?

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 2 ipsec-isakmp

set peer 212.76.68.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 3 ipsec-isakmp

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

Site to Multi Site VPN thru NAT

same crypto map different entries, yes.

you can only apply 1 crypto map per interface...

you need a different access-list for each entry also.

example core = 10.1.1.0/24

site 1 = 10.1.31.0/24

site 2 = 10.1.32.0/24

acl VPN1 permit 10.1.1.0/24 10.1.31.0/24 applied to corresponding map entry

acl VPN2 permit 10.1.1.0/24 10.1.32.0/24 applied to the other map entry...

Patrick

New Member

Site to Multi Site VPN thru NAT

okay i will create separate ACL for each mp...but my only problem is i am only using 1 interface for WAN in may core office....

315
Views
0
Helpful
4
Replies