Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Site to Site Link

 

Hi All,

 

I've configured a site to site VPN between two Cisco 1921 routers. One router on the Remote Site is a VPN/Nat on a Stick. However the VPN is showing up-Active but i can't transmit any data across it.

I think it may have something to do with the NAT configuration but i can't see why.

Here is my config.

MAIN Office

hostname KG-ROUTER-OFFICE
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco address 217.217.217.217
!
!
crypto ipsec transform-set TS_AES_KG esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description TUNNEL to 217.217.217.217
 set peer 217.217.217.217
 set transform-set TS_AES_KG
 match address 100
!
interface GigabitEthernet0/0
 description INTERNAL
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description EXTERNAL
 ip address 62.62.62.62 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 98
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool OFFICE 62.62.62.62 62.62.62.62 netmask 255.255.255.248
ip nat inside source list 98 pool OFFICE overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 62.62.62.61
ip route 192.168.101.0 255.255.255.0 192.168.1.1
!
!
access-list 98 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_CMAP Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
end

Remote Office

crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco address 62.62.62.62
!
!
crypto ipsec transform-set TS_AES_KG esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description TUNNEL to OFFICE
 set peer 62.62.62.62
 set transform-set TS_AES_KG
 match address 100
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip nat inside
 ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.16.252 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map MAP_U_TURN
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source list NAT_U_TURN interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.16.4
!
ip access-list standard NAT_U_TURN
 permit 192.168.1.253
!
ip access-list extended s2s-OFFICE
 permit ip host 192.168.1.253 host 192.168.16.252
!
!
route-map MAP_U_TURN permit 10
 match ip address NAT_U_TURN
 set interface Loopback0
!
!
access-list 98 permit 192.168.16.0 0.0.0.255
access-list 100 remark SDM_CMAP Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.16.0 0.0.0.255 any

 

If someone could have a look over this before I rip my hair out that I would be greatful.

Steve

Everyone's tags (1)
1 REPLY

Hi sslack031, I think the

Hi sslack031,

 

I think the issue would be the double nat statments that you have on MAIN Office router along with the standard access list 98, that's because you should deny vpn traffic from being natted, but you cann't do that on access list 98 because it is a standard access list, so you would not be able to specify the destination network address. To fix your issue, you would remove the "ip nat inside source list 98 pool OFFICE overload" statement, or you would replace the access list 98 with an extended one, and deny the vpn traffic on it.

 

On Remote Office you would remove the "ip nat inside source list NAT_U_TURN interface GigabitEthernet0/1 overload" statement since there is no access list NAT_U_TURN, so no effect of that nat statement.

 

 

Regards,

Aref

 

 

 

51
Views
0
Helpful
1
Replies
CreatePlease to create content