Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3332
Views
0
Helpful
2
Replies

Cisco 1941 VPN ipsec

Go to solution
spetre
Level 1
Level 1

‎04-12-2017 08:05 AM - edited ‎03-08-2019 10:11 AM

Hi, 

I have a router 1941 which is configured VPN ipsec site to site. VPN is up but i can't ping from it to other side and viceversa. 

The config is:

M01#sh run
Building configuration...


Current configuration : 2291 bytes
!
! Last configuration change at 12:40:35 UTC Tue Apr 11 2017 by cisco
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$0F7i$gnqvDKv0ApfOtbwzVfqaM.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.240.102.1
ip dhcp excluded-address 10.240.102.199 10.240.102.254
!
ip dhcp pool LAN
network 10.240.102.0 255.255.255.0
default-router 10.240.102.1
domain-name intercars.eu
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name intercars.eu
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ204440SR
!
!
username xxxxx password 0 yyyyy
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key passxxx address 194.228.84.154 no-xauth
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer 194.xxx.xxx.xxx
set transform-set MYSET
set pfs group2
match address VPN
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.240.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
ip address 109.xx.xx.xx 255.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MYMAP
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 109.xx.xxx.xxx
ip ssh version 2
!
ip access-list extended NAT
permit ip 10.240.102.0 0.0.0.255 any
deny ip 10.240.102.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended VPN
permit ip 10.240.102.0 0.0.0.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-12-2017 08:25 AM

In your NAT acl you want the deny line before the permit line otherwise the IPs are being translated and therefore do not match the crypto map acl.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-12-2017 08:25 AM

In your NAT acl you want the deny line before the permit line otherwise the IPs are being translated and therefore do not match the crypto map acl.

Jon

0 Helpful

Go to solution
spetre
Level 1
Level 1
In response to Jon Marshall

‎04-12-2017 11:38 PM

Thanks for your fast response. you right!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card