Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VPN Site to Site Link

 

Hi All,

 

I've configured a site to site VPN between two Cisco 1921 routers. One router on the Remote Site is a VPN/Nat on a Stick. However the VPN is showing up-Active but i can't transmit any data across it.

I think it may have something to do with the NAT configuration but i can't see why.

Here is my config.

MAIN Office

hostname KG-ROUTER-OFFICE
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco address 217.217.217.217
!
!
crypto ipsec transform-set TS_AES_KG esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description TUNNEL to 217.217.217.217
 set peer 217.217.217.217
 set transform-set TS_AES_KG
 match address 100
!
interface GigabitEthernet0/0
 description INTERNAL
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description EXTERNAL
 ip address 62.62.62.62 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 98
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool OFFICE 62.62.62.62 62.62.62.62 netmask 255.255.255.248
ip nat inside source list 98 pool OFFICE overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 62.62.62.61
ip route 192.168.101.0 255.255.255.0 192.168.1.1
!
!
access-list 98 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_CMAP Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
end

Remote Office

crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco address 62.62.62.62
!
!
crypto ipsec transform-set TS_AES_KG esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description TUNNEL to OFFICE
 set peer 62.62.62.62
 set transform-set TS_AES_KG
 match address 100
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip nat inside
 ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.16.252 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map MAP_U_TURN
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source list NAT_U_TURN interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.16.4
!
ip access-list standard NAT_U_TURN
 permit 192.168.1.253
!
ip access-list extended s2s-OFFICE
 permit ip host 192.168.1.253 host 192.168.16.252
!
!
route-map MAP_U_TURN permit 10
 match ip address NAT_U_TURN
 set interface Loopback0
!
!
access-list 98 permit 192.168.16.0 0.0.0.255
access-list 100 remark SDM_CMAP Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.16.0 0.0.0.255 any

 

If someone could have a look over this before I rip my hair out that I would be greatful.

Steve

Everyone's tags (1)
2 REPLIES
New Member

You'll need to no-nat the

You'll need to no-nat the traffic you want to tunnel.

 

I have a question.  Have you tried setting up VTI's?  That way, you can just route the interesting traffic to the tunnel instead of creating a crypto map.  This works great for site to site ipsec VPNs.

Hi,    You can try to edit

Hi,

    You can try to edit ACL-98 to deny VPN traffic before internet traffic on both sites and let's see how it goes.

 

 

Thanks

59
Views
0
Helpful
2
Replies
CreatePlease to create content