Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
1
Replies

Need a hand

hcoltrain
Level 1
Level 1

‎06-05-2002 07:46 AM - edited ‎03-08-2019 10:51 PM

Can anyone let me know why this is not working. Here is what I am attempting to do. I want to connect site A to B so that they can browse each others networks via a VPN connection. Presently, NAT is running on both sides with an internet connection for regular surfing, and I am able to ping from Tunnel1 to Tunnel1 and loopbacks but not from Ethernet to Ethernet. In addition, I am trying to exclude traffic going on the private network from the NAT process via policy routing on both sides.

Am I missing the route-map nonat pemrit 10 command?

Are the access-lists incorrect?

Unfortunaelty, I am at a loss.

This site A

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco10 address 24.151.xx.xx

!

!

crypto ipsec transform-set 10cisco esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map cisco local-address Loopback0

crypto map cisco 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set 10cisco

match address 105

!

!

!

!

interface Loopback0

description Static Public

ip address 24.151.xxx.xxx 255.255.255.255

no ip mroute-cache

!

interface Tunnel1

ip address 192.168.10.2 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

tunnel source Loopback0

tunnel destination 24.151.xxx.xxx

crypto map cisco

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface cable-modem0

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem boot admin 2

cable-modem boot oper 5

!

ip default-gateway 10.24.0.1

ip nat inside source list 1 interface Loopback0 overload

ip nat inside source list 122 interface Tunnel1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.29.1.1

no ip http server

no ip http cable-monitor

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 deny ip 192.168.0.0 0.0.0.255 any

access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xx

access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 122 permit ip 192.168.0.0 0.0.0.255 any

Here is site B

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco10 address 24.151.xx.xxx

!

!

crypto ipsec transform-set 10cisco esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map cisco local-address Loopback0

crypto map cisco 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set 10cisco

match address 105

!

!

!

!

!

interface Loopback0

description Public Static

ip address 24.151.xx.xx 255.255.255.255

no ip route-cache

no ip mroute-cache

!

interface Tunnel1

ip address 192.168.10.1 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

tunnel source Loopback0

tunnel destination 24.151.xx.xxx

crypto map cisco

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface cable-modem0

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem boot admin 2

cable-modem boot oper 5

!

ip default-gateway 10.29.0.1

ip nat inside source list 1 interface Loopback0 overload

ip nat inside source list 122 interface Tunnel1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.29.1.1

no ip http server

no ip http cable-monitor

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 deny ip 192.168.1.0 0.0.0.255 any

access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xxx

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

I do not understand why the traffic will not route. Any help would be greatly appreciated.

Thank you

Harris C

Labels:
0 Helpful
1 Reply 1

duchesne_ced
Level 1
Level 1

‎06-05-2002 08:16 AM

Hi,

Have you tried first without the IPSEC command to check if it's working.

What about this default route ? Does you packet cross the interface tunnel or not ? What tells show crypto isakmp sa and show crypto ipsec sa ? Counters are increasing ?

0 Helpful
Customers Also Viewed These Support Documents