06-05-2002 07:46 AM - edited 03-08-2019 10:51 PM
Can anyone let me know why this is not working. Here is what I am attempting to do. I want to connect site A to B so that they can browse each others networks via a VPN connection. Presently, NAT is running on both sides with an internet connection for regular surfing, and I am able to ping from Tunnel1 to Tunnel1 and loopbacks but not from Ethernet to Ethernet. In addition, I am trying to exclude traffic going on the private network from the NAT process via policy routing on both sides.
Am I missing the route-map nonat pemrit 10 command?
Are the access-lists incorrect?
Unfortunaelty, I am at a loss.
This site A
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco10 address 24.151.xx.xx
!
!
crypto ipsec transform-set 10cisco esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map cisco local-address Loopback0
crypto map cisco 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set 10cisco
match address 105
!
!
!
!
interface Loopback0
description Static Public
ip address 24.151.xxx.xxx 255.255.255.255
no ip mroute-cache
!
interface Tunnel1
ip address 192.168.10.2 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
tunnel source Loopback0
tunnel destination 24.151.xxx.xxx
crypto map cisco
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
!
interface cable-modem0
ip nat outside
no ip mroute-cache
no cable-modem compliant bridge
cable-modem boot admin 2
cable-modem boot oper 5
!
ip default-gateway 10.24.0.1
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source list 122 interface Tunnel1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.29.1.1
no ip http server
no ip http cable-monitor
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xx
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
Here is site B
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco10 address 24.151.xx.xxx
!
!
crypto ipsec transform-set 10cisco esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map cisco local-address Loopback0
crypto map cisco 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set 10cisco
match address 105
!
!
!
!
!
interface Loopback0
description Public Static
ip address 24.151.xx.xx 255.255.255.255
no ip route-cache
no ip mroute-cache
!
interface Tunnel1
ip address 192.168.10.1 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
tunnel source Loopback0
tunnel destination 24.151.xx.xxx
crypto map cisco
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
!
interface cable-modem0
ip nat outside
no ip mroute-cache
no cable-modem compliant bridge
cable-modem boot admin 2
cable-modem boot oper 5
!
ip default-gateway 10.29.0.1
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source list 122 interface Tunnel1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.29.1.1
no ip http server
no ip http cable-monitor
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 permit gre host 24.151.xx.xx host 24.151.xx.xxx
access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
I do not understand why the traffic will not route. Any help would be greatly appreciated.
Thank you
Harris C
06-05-2002 08:16 AM
Hi,
Have you tried first without the IPSEC command to check if it's working.
What about this default route ? Does you packet cross the interface tunnel or not ? What tells show crypto isakmp sa and show crypto ipsec sa ? Counters are increasing ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide