cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
800
Views
12
Helpful
14
Replies

site-to-site VPN tunnel

bipot
Level 1
Level 1

We ceated a vpn tunnel between our headoffice and a remote branch. We can ping the outside interface of the remote branch pix and vice versa. The problem we have now is we can't ping the remote branch's subnet.

Here are the configs we're using on the headoffice firewall.

crypto ipsec transform-set Fiji esp-3des esp-sha-hmac

crypto map bsp002 7 ipsec-isakmp

crypto map bsp002 7 match address 170

crypto map bsp002 7 set pfs group2

crypto map bsp002 7 set peer 202.165.201.226

crypto map bsp002 7 set transform-set Fiji

crypto map bsp002 7 set security-association lifetime seconds 3600 kilobytes 8000

isakmp key ******** address 202.165.201.226 netmask 255.255.255.255 no-xauth no-config-mode

access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0

It's the same network. We only want the remote branch subnet to have access to the headoffice subnet.

What are missing out? Pls help.

14 Replies 14

acomiskey
Level 10
Level 10

Do you have a nat exemption for the vpn? Something similar to...

access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Hi,

First of all, does the tunnel come up? If not, did you try to capture the debugs and what do they say? Could you post the complete configs of the headoffice and branchoffice firewalls?

Regards,

Kamal

I could ping the outside interface of the Branch office. I ran the debug but wasn't too sure how to capture it. I'll get the configs of both firewalls and post.

thanks

pintz6es

With the above config, the outside interface of remote branch pix would not be part of the tunnel. The fact you can ping it only proves you have connectivity to it.

Hi

not too sure on this. How do I know the tunnel is up?

Hi

what does the nat exemption do? I dont have this on both the headoffice firewall and the branch office firewall. Do include it as what you've got here?

There are 2 acl's in a lan to lan tunnel. One, which you have already specified, is the crypto acl which defines traffic destined for the tunnel. The second, is nat exemption, which will exempt that traffic from the nat process. In most cases it is identical to the crypto acl.

Headoffice:

access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (crypto acl)

access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound

RemoteOffice:

access-list 170 permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (crypto acl)

access-list inside_nat0_outbound permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound

Will the nat(inside) 0 specified here have any effect to the other existing nats on the Firewall.

The nat 0 will only apply to the traffic which is specified in the corresponding acl. For instance, traffic from 192.168.32.0 to 192.168.45.0 and vice versa.

It might if you have other Nat exemption ACL and if you implement what Adam said, then it might break the old ones. If you have anything configured for NAT exemption on the old ones.

If you already have a NAT exemption ACL, please add the networks just like Adam said to the existing NAT exemption.

Hope this helps.

Thanks

Gilbert

So if I already have a nat 0 in the configs, can I specify for this particular acl another sequence number like 2 for this particular acl?

Yes, you can add to the existing acl. But what gilbert was getting at is you DO NOT want to create a second nat 0 acl and attempt to do another nat (inside) 0 command.

Thanks for clarifying Adam :)

Cheers

Gilbert

No problem. 5 points for pointing that out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: