Re: site to site vpn

junshah22 · ‎06-16-2009

Dear All,

I am configuring site to site VPN, I have one 2811 and one 1811 cisco routers,

Please tell me by using this configuration do i need to dial ??? or it will connect automatically,,,

from the router it pings its live ip but dont ping inside ethernet interface...

do i need to add a static route??

Please check my configuration

sh run

Building configuration...

Current configuration : 5470 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MTL-2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxxx1k0

!

no aaa new-model

!

resource policy

!

memory-size iomem 10

!

ip cef

--More-- !

!

ip domain name 123.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

!

voice-card 0

no dspfarm

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxxxx/

!

crypto isakmp policy 9

hash md5

authentication pre-share

crypto isakmp key Millat7400 address 55.55.55.10 (Other side live ip)

!

crypto ipsec security-association lifetime seconds 86400

--More-- !

crypto ipsec transform-set Millat6400 esp-3des esp-md5-hmac

!

crypto map Millat5400 10 ipsec-isakmp

set peer 55.55.55.10 (other side live ip)

set transform-set Millat6400

match address 175

!

interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 55.55.555.21 255.255.255.248

ip nat outside

--More-- ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 55.55.555.17

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0 192.168.74.2

ip route 192.168.4.0 255.255.255.0 192.168.74.2

ip route 192.168.5.0 255.255.255.0 192.168.74.2

ip route 192.168.6.0 255.255.255.0 192.168.74.2

ip route 192.168.7.0 255.255.255.0 192.168.74.2

ip route 192.168.8.0 255.255.255.0 192.168.74.2

ip route 192.168.9.0 255.255.255.0 192.168.74.2

ip route 192.168.10.0 255.255.255.0 192.168.74.2

ip route 192.168.11.0 255.255.255.0 192.168.74.2

!

ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

--More-- ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source list 160 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389

!

ip access-list extended Internet

permit ip host 192.168.2.2 any

permit tcp any any eq smtp

permit tcp any any eq pop3

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

access-list 160 permit ip any any

access-list 160 permit tcp any any

access-list 175 permit ip 192.168.74.0 0.0.0.255 55.55.55.10 0.0.0.3

snmp-server community public RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

!

control-plane

!

--More-- !

!

line con 0

password xxxxxx

login

line aux 0

line vty 0 4

password xxxxxx

login

!

scheduler allocate 20000 1000

!

end

MTL-2811#exit

Same configuration on the other side,

Please Advise

Regards,

Junaid

junshah22 · ‎06-17-2009

In this example, Author Suggested to make an ACL 175 for permitting the required traffic which will use VPN connection,,,

In my scenario,, My Internet Dont runs without NAT Overloading,, so I made an ACL 160 and permitted ip any any and tcp any any

Should I modify the existing acl 160 and apply the same on the

crypto map Millat5400 10 ipsec-isakmp

match address 175

and to replace 175 with 160..

in this case,,,, the other side router is able to get access into my network as well its internet service runs,,, but Internet service on first router stops,,

Please advise

auraza · ‎06-17-2009

What is the inside network on the other side? The crypto acl you are using references the outside IP/network of the remote host, and not the inside network.