OK.  Below is the current config.  After loading this, I could not ping either VPN from router or dekstop. Both return Destination net unreachable.  Thoughts?

!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 GHdsI2^hE@lthD address 206.17.98.20
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MEDSOLUTIONS-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address HEDI-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS-VPN
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.210.58.197 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map HEDI interface FastEthernet0/1 overload
ip nat inside source route-map MEDSOLUTIONS-NAT-ACL pool MEDSOLUTIONS
!
ip access-list extended HEDI-CRYPTO-ACL
permit ip any 206.17.98.0 0.0.0.255
ip access-list extended HEDI-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 10.100.0.0 0.0.255.255
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 12.195.64.0 0.0.0.255
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map HEDI permit 10
match ip address HEDI-NAT-ACL
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Basically, Peer 1 (VPN 1) needs my internal address nat'd to my public address prior to being encrypted,
and currently it is working the way it is setup.  Of course, the permit ip any any guarantees that,
but also exludes getting the second tunnel properly setup.

So, for VPN1:

ip access-list extended NAT_VPN_1
  permit ip 10.10.10.0 0.0.0.255 REMOTE_LAN

route-map VPN_1
  match ip address NAT_VPN_1
  set ip next-hop x.x.x.x

ip nat inside source route-map VPN_1 interface FastEthernet0/1 overload

access-list crypto1 permit ip host OUTSIDE_IP REMOTE_LAN

The above configuration, will NAT the traffic from 10.10.10.0/24 to the outside public IP of the router ONLY when going to the REMOTE_LAN

Peer 2 (VPN 2) needs to have my internal address nat'd to 10.139.40.0 prior to being encrypted
and sent to his network.  The only host in his network that i need to talk to is 10.10.131.63.

ip access-list extended NAT_VPN_2
  permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

route-map VPN_2
  match ip address NAT_VPN_2
  set ip next-hop x.x.x.x

ip nat pool newpool 10.139.40.1 10.139.40.254 netmask 255.255.255.0
ip nat inside source route-map VPN_2 pool newpool

access-list crypto2 permit ip host 10.139.40.0 0.0.0.255 REMOTE_LAN

The above configuration will NAT the 10.10.10.0/24 to 10.139.40.0/24 when going to 10.10.131.63

Please check the configuration to see if it meets what you need.

Federico.

Hi again,

I am having no luck with this...should be easy.  Here is the config, but the tunnel never comes up.  A fresh pair of eyes is greatly appreciated. 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10

crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Based on your last post...

We're trying the tunnel to 12.195.64.10

The first thing that should happen is that when the internal LAN 10.10.10.0/24 send
traffic to the remote LAN, it should be NATed to 10.129.40.0/24

ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL

ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS

Change the pool because it cannot start with IP 10.129.40.0 (that's the network address,
should start with 10.129.40.1)

Then, the crypto ACL:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10

The crypto ACL should define the interesting traffic.
The destination should not be the other peer's public IP.
The destination should be the other end's internal LAN (network on the inside side of the
router)

Federico.

Thank you and great catch......made the changes and still no joy.

Time to follow the path of the packet to see where is the failure...

Send packets from the machine on 10.10.10.x to the remote LAN.
The packets should get NATed - check this ''sh ip nat trans'' and look for the source IP 10.10.10.x
If you see the translation getting build, then you should see the packet getting encrypted ''sh cry ips sa''

From this, let's determine if the problem is with NAT or with encryption.

Federico.

It looks like translations are correct, but the tunnel still does not come up.  I even replaced all the ACL to a permit any any (as this is now the only VPN on the this router)

RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 10.129.40.2:500    173.210.58.198:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

Here is my current config:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tmanger privilege 15 secret 5 $1$9DgB$JABFxEuNr0GzK71L.DNJ9.
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10 no-xauth
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address 101
!
!
!
!
interface Loopback0
ip address 10.129.40.2 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip route 10.10.131.0 255.255.255.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat inside source route-map MEDSOLUTIONS interface Loopback0 overload
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
access-list 101 permit ip any any
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
!
end

We still have the crypto ACL incorrect.

ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10

Instead of 12.195.64.10 (which is the public IP of the VPN peer), you need to define the REMOTE_LAN

What I mean with REMOTE_LAN is the internal subnet that you want to be able to access through the tunnel.

And please post the translation ''sh ip nat trans'' when sending a packet from 10.10.10.x to an IP belonging to the REMOTE_LAN

The translation that you attached is an ISAKMP connection.

Federico.

if you look at the config, although I left the definitions for MED* there, I basically changed it all to access list 101.

For the nat translations, i ping'd the inside far network (10.10.131.63) from 10.10.10.40 and then on the router did a sh ip nat trans, and that was the output

Here is the output after pinging from 10.10.10.x to 10.10.131.63.....see the first line

RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.129.40.2:1     10.10.10.68:1      10.10.131.63:1     10.10.131.63:1
udp 10.129.40.2:500    173.210.58.197:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

Ok,
The 10.10.10.68 is being NATed to 10.129.40.2 when going to 10.10.131.63
This what you want correct?

Don't use a permit ip any any as an ACL to NAT (just define the local subnet instead of any)

The crypto ACL I still see it wrong, this is the line I'm referring to:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
You see what I'm saying?

Also,why 173.210.58.197 is being NATed to 10.249.40.2 when going to 12.195.64.10?
Who is 173.210.58.197? This is ISAKMP traffic being NATed to the remote peer.
The tunnel should be established between 173.210.58.198 and 12.195.64.10

Please post your current NAT and crypto ACLs.

Federico.

I altered what you indicated and went away from any any:

Here are the current crypto and nat acls:

ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

Your first statement is correct:  That is what I want.

I changed the crypto acl to the corrected info.  Does my NAT acl (above) look correct?

173.210.58.198 is my outside public interface.

Looks a lot better now ;-)

Now, we know the translation is taking place correctly.

After that, the encryption should kick in...

Please post now the ''sh cry ips sa''

Federico.