Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site-to-site VPN tunnel

We ceated a vpn tunnel between our headoffice and a remote branch. We can ping the outside interface of the remote branch pix and vice versa. The problem we have now is we can't ping the remote branch's subnet.

Here are the configs we're using on the headoffice firewall.

crypto ipsec transform-set Fiji esp-3des esp-sha-hmac

crypto map bsp002 7 ipsec-isakmp

crypto map bsp002 7 match address 170

crypto map bsp002 7 set pfs group2

crypto map bsp002 7 set peer 202.165.201.226

crypto map bsp002 7 set transform-set Fiji

crypto map bsp002 7 set security-association lifetime seconds 3600 kilobytes 8000

isakmp key ******** address 202.165.201.226 netmask 255.255.255.255 no-xauth no-config-mode

access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0

It's the same network. We only want the remote branch subnet to have access to the headoffice subnet.

What are missing out? Pls help.

14 REPLIES
Green

Re: site-to-site VPN tunnel

Do you have a nat exemption for the vpn? Something similar to...

access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Cisco Employee

Re: site-to-site VPN tunnel

Hi,

First of all, does the tunnel come up? If not, did you try to capture the debugs and what do they say? Could you post the complete configs of the headoffice and branchoffice firewalls?

Regards,

Kamal

New Member

Re: site-to-site VPN tunnel

I could ping the outside interface of the Branch office. I ran the debug but wasn't too sure how to capture it. I'll get the configs of both firewalls and post.

thanks

pintz6es

Green

Re: site-to-site VPN tunnel

With the above config, the outside interface of remote branch pix would not be part of the tunnel. The fact you can ping it only proves you have connectivity to it.

New Member

Re: site-to-site VPN tunnel

Hi

not too sure on this. How do I know the tunnel is up?

New Member

Re: site-to-site VPN tunnel

Hi

what does the nat exemption do? I dont have this on both the headoffice firewall and the branch office firewall. Do include it as what you've got here?

Green

Re: site-to-site VPN tunnel

There are 2 acl's in a lan to lan tunnel. One, which you have already specified, is the crypto acl which defines traffic destined for the tunnel. The second, is nat exemption, which will exempt that traffic from the nat process. In most cases it is identical to the crypto acl.

Headoffice:

access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (crypto acl)

access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound

RemoteOffice:

access-list 170 permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (crypto acl)

access-list inside_nat0_outbound permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (nat exemption acl)

nat (inside) 0 access-list inside_nat0_outbound

New Member

Re: site-to-site VPN tunnel

Will the nat(inside) 0 specified here have any effect to the other existing nats on the Firewall.

Green

Re: site-to-site VPN tunnel

The nat 0 will only apply to the traffic which is specified in the corresponding acl. For instance, traffic from 192.168.32.0 to 192.168.45.0 and vice versa.

Cisco Employee

Re: site-to-site VPN tunnel

It might if you have other Nat exemption ACL and if you implement what Adam said, then it might break the old ones. If you have anything configured for NAT exemption on the old ones.

If you already have a NAT exemption ACL, please add the networks just like Adam said to the existing NAT exemption.

Hope this helps.

Thanks

Gilbert

New Member

Re: site-to-site VPN tunnel

So if I already have a nat 0 in the configs, can I specify for this particular acl another sequence number like 2 for this particular acl?

Green

Re: site-to-site VPN tunnel

Yes, you can add to the existing acl. But what gilbert was getting at is you DO NOT want to create a second nat 0 acl and attempt to do another nat (inside) 0 command.

Cisco Employee

Re: site-to-site VPN tunnel

Thanks for clarifying Adam :)

Cheers

Gilbert

Green

Re: site-to-site VPN tunnel

No problem. 5 points for pointing that out.

202
Views
12
Helpful
14
Replies