Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site vpn

Hi, I can't get my site-to-site vpn to work. When I try to generate traffic from one internal host another. The trafic never arrives.

Traffic flow:

192.168.100.12 -> 192.168.100.1 -> 213.136.41.180 -> internet -> 79.136.112.50 -> 192.168.1.5

If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?

For example: route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

One of my 5505:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255

static (dmz,outside) tcp interface 8080 192.168.200.2 8080 netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.200.2 www netmask 255.255.255.255

access-group 8080_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.180

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.180 type ipsec-l2l

tunnel-group 213.136.41.180 ipsec-attributes

pre-shared-key *

The Other one:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 79.136.112.50 type ipsec-l2l

tunnel-group 79.136.112.50 ipsec-attributes

pre-shared-key *

2 REPLIES
Green

Re: site-to-site vpn

"If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?"

-NO

Add nat exemption to the ASA's.

First ASA-

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Second ASA-

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

New Member

Re: site-to-site vpn

Thanx, it works now!

137
Views
5
Helpful
2
Replies
CreatePlease login to create content