04-12-2017 08:05 AM - edited 03-08-2019 10:11 AM
Hi,
I have a router 1941 which is configured VPN ipsec site to site. VPN is up but i can't ping from it to other side and viceversa.
The config is:
M01#sh run
Building configuration...
Current configuration : 2291 bytes
!
! Last configuration change at 12:40:35 UTC Tue Apr 11 2017 by cisco
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$0F7i$gnqvDKv0ApfOtbwzVfqaM.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.240.102.1
ip dhcp excluded-address 10.240.102.199 10.240.102.254
!
ip dhcp pool LAN
network 10.240.102.0 255.255.255.0
default-router 10.240.102.1
domain-name intercars.eu
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name intercars.eu
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ204440SR
!
!
username xxxxx password 0 yyyyy
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key passxxx address 194.228.84.154 no-xauth
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer 194.xxx.xxx.xxx
set transform-set MYSET
set pfs group2
match address VPN
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.240.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
ip address 109.xx.xx.xx 255.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MYMAP
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 109.xx.xxx.xxx
ip ssh version 2
!
ip access-list extended NAT
permit ip 10.240.102.0 0.0.0.255 any
deny ip 10.240.102.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended VPN
permit ip 10.240.102.0 0.0.0.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end
Thanks in advance.
Solved! Go to Solution.
04-12-2017 08:25 AM
In your NAT acl you want the deny line before the permit line otherwise the IPs are being translated and therefore do not match the crypto map acl.
Jon
04-12-2017 08:25 AM
In your NAT acl you want the deny line before the permit line otherwise the IPs are being translated and therefore do not match the crypto map acl.
Jon
04-12-2017 11:38 PM
Thanks for your fast response. you right!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide