Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Site-to-site VPN tunnel is up, but cannot ping PC-s on either end

Hello,

I've 3 Cisco 800 series routers and I needed to configure site-to-site vpn tunnel from branch2 to the main office(branch 1 VPN was already configured and working). I've managed to get the tunnel up and everything seemed ok as sh cry isa sa,sh cry session and sh cry ipsec sa didn't seem to have any problems. Although the tunnel is up, I cannot ping PC-s on either side of the vpn tunnel. Does anyone have any idea what the problem can be?

I understand that there isn't enough information, but just ask me what you need and I'll send out more.

Thanks in advance.

  • WAN Routing and Switching
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Your traffic from HQ to Remote is being NAT'd

ip access-list extended NAT

deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

You must have

ip access-list extended NAT

deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

8 REPLIES
Hall of Fame Super Bronze

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Let's see the router configs from the branch and main office.

Can you ping from the branch router internal interface to the main office subnet?

Can you do the same in the opposite direction?

What's the result?

You need to execute an extended ping for that.

New Member

Re: Site-to-site VPN tunnel is up, but cannot ping PC-s on eithe

Hello,

Thanks for your quick response,

I added the main office config and the branch2 config to attachment below. Also, i cannot ping form the branch router internal interface to the main office subnet and that goes both ways.

What do you mean by  "You need to execute an extended ping for that." ?

Thank you.

Purple

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Hi,

to test it from the Main router you have to do it like this:

ping 10.9.6.x source 10.9.8.x

that's what was meant by extended ping because you have to use interesting traffic(declared in your crypto ACL) otherwise

it won't even get encrypted and it will get natted so it won't work.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Hi,

Thanks for the quick response,

I tried to ping from both routers, but no ping went through. Used to command 'ping 10.9.6.1 source 10.9.8.254' and vice-versa.

Hall of Fame Super Bronze

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Your traffic from HQ to Remote is being NAT'd

ip access-list extended NAT

deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

You must have

ip access-list extended NAT

deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

New Member

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Thanks for the response,

I wondered about that myself and went ahead with the changes.

Still can't get the ping through.

It now looks like:

ip access-list extended NAT

deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

Hall of Fame Super Bronze

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Looking at your config once again from the HQ router, you have ip nat inside|outside on the interfaces but you don't have a global ip nat command indicating what to translate, you should correct that.

Additionally, you've configured overlapping subnets.

interface GigabitEthernet0

ip address 194.200.30.10 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed 10

crypto map SDM_CMAP_1

!

interface Vlan2

description Guest

ip address 194.200.30.50 255.255.255.0

ip access-group GUEST-ACL in

ip access-group Guest-ACL-out out

ip nat inside

ip virtual-reassembly

New Member

Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Thanks a bunch,

As I went to work today, everything was working. I Guess the yesterdays changes started to work after the restart of the tunnel.

Thanks !

5937
Views
0
Helpful
8
Replies