11-28-2018 10:58 AM
I've been trying to setup a site to site VPN between two routers and it looks like the tunnel is active but I can't seem to ping from one site to the other. I will admit that I inherited the router configuration at one site (R1) and don't completely understand all of the security settings. I have attached the sanitized configuration from both routers (R1 and R2).
I'm trying to ping from a device at 10.129.53.199 connected to R1 to a device at 192.168.42.3 connected to R2 (and visa versa) with not success.
Any insight would be appreciated.
11-28-2018 11:13 AM
Hello,
the first thing I noticed is that you don't have a default route on either router. So, try and configure the below:
R1
ip route 0.0.0.0 0.0.0.0 Port-channel1.103
R2
ip route 0.0.0.0 0.0.0.0 FastEthernet4
11-28-2018 11:48 AM
Georg,
Thanks for the suggestion, unfortunately it doesn't seem to have had any effect.
Thank you,
Chris
11-28-2018 11:56 AM
Hello,
to be honest, the addressing looks odd, as you are NATting to private addresses. Either way, assuming that is ok, I think you are missing access list 102 (the access list matched in the crypto map) on R1. So on R1, configure:
access-list 102 permit ip 10.129.53.0 0.0.0.255 192.168.42.0 0.0.0.255
That said, you also have 10.129.52.0/24 on R1, does that need to be reachable as well ?
11-28-2018 12:06 PM
I swapped our real public external IP addresses with those private IP addresses for anonymity.
I've added the access list an there has been no change.
I'm really only setting up communication with the 1 VLAN on R1.
Thanks
11-28-2018 12:23 PM
Hello,
if possible, take the 'zone member' command off the interfaces to check if the Zone Based Firewall is causing this...
11-28-2018 05:08 PM
I had to wait until the end of the day so as not to interrupt users at the R1 site but removing the zone based security from the port channels had no effect on the ability to ping between sites.
I really do appreciate your help thus far.
Thank you.
11-29-2018 05:55 AM
Can you ping between the public WAN IP addresses?
Do you have a route to 192.168.42.0 0.0.0.255 on R1 and a route to 10.129.53.0 0.0.0.255 on R2. The routes should be pointed out the WAN interface.
11-29-2018 06:59 AM
Chris
It is not clear to me whether the problem has to do with getting the vpn tunnel working or has to do with controlling traffic going through the tunnel. Can you post the output of show crypto ipsec sa (preferable from both routers)? This will help point us in the right direction.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide