I have this configured on the router, but can still ping interface from vlan 1 to vlan 2 interface and another to

ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 20.20.20.1 20.20.20.20
!
ip dhcp pool R1.LAN
    import all
    network 10.10.10.0 255.255.255.0
    default-router 10.10.10.1
    lease infinite
!
ip dhcp pool R1.CISCO_Private
    import all
    network 20.20.20.0 255.255.255.0
    default-router 20.20.20.1
    lease infinite

interface Vlan1
  ip address 20.20.20.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  !
!
Interface Vlan2
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly

ip access-list extended ACL
  deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  deny tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  Any permit ip 10.10.10.0 0.0.0.255

ip access-list extended VPN
  permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Hi,

So this is a router on a stik.
on which physical interface you have configured these vlans.
And make sure you have configure encapsulation (R1(config-subif)#encapsulation dot1q 20) on the all vlans.

It would be very helpfull to understand the issue where exactly if you post your complete router running config.

please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

okay is the current running-config

Current configuration: 6550 bytes
!
! Last configuration change at 7:27:57 UTC Wed May in April 2011 by Tim
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 autonomous boot image
!
crypto pki trust point tp-self-signed-3945582034
enrollment selfsigned
subject-name cn = IOS-Self-Signed-Certificate-3945582034
revocation-check none
rsakeypair TP-self-signed-3945582034
!
!
crypto pki certificate chain TP-self-signed-3945582034
self-signed certificate 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 04050030 F70D0101
  494F532D 53656C66 31312F30 2D060355 04031326 43657274 2D536967 6E65642D
  69666963 6174652D 33393435 35383230 3334301E 170D3131 30343236 31333137
  30345A17 0D323030 31303130 30303030 305A3031 06035504 03132649 312F302D
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343535
  38323033 3430819F 818D0030 81890281 01050003 300D0609 2A864886 F70D0101
  8100900D 6293E313 40744659 1E2A4047 E9844B53 240B241D 711B5B64 E75F2063
  2D6CDE1B 52A3F448 BFEC9B67 16816048 85235244 04DBBD55 048CC4C4 DEDAA702
  9954D740 D50B2ED8 3DF3F681 A5553D5B AEA90921 FB6C2757 C23B12D1 B8121A23
  4B752336 A329E1A8 7E74AB8F 043D73AE D41FE2CA 1B3A238F 9071779C EF2B3A37
  E2F70203 010001A3 0F060355 1D130101 FF040530 030101FF 30180603 6D306B30
  551D1104 63757273 11300F82 6973742E 6265301F 0603551D 23041830 0D52322E
  1680144A 5C914FA9 9D03D187 6DE957BE ED699CB0 46CB0530 1D060355 1D0E0416
  04144A5C 914FA99D 03D1876D E957BEED 699CB046 CB05300D 06092A86 4886F70D
  5E579320 01010405 00038181 0027B4A2 5B66B9E9 F280E047 3BDC4B0F AB852BFA
  1C480D16 3C3E3A86 998EB525 56375C41 E92CA8DC D9EB2583 E685145D B536B4BD
  7E1B3213 086CC86C FB20A91F 4A0A8A67 C5848F49 89BDF700 D6EA83FB 6533E802
  6A0BA747 54476B9C 1060D035 DDA6C526 B6FED37E 0D1CB29F 7A8C4B11 46BAF5CD
  706666CF 00E710A2 C9
        quit
ip source-route
!
!
ip dhcp excluded-address 20.20.20.1 20.20.20.20
ip dhcp excluded-address 10.10.10.1 10.10.10.20

!
ip dhcp pool R2.LAN
   import all
   network 20.20.20.0 255.255.255.0
   default-router 20.20.20.1
   lease infinite
!
ip dhcp pool R2.CISCO_Private
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   lease infinite
!
!
ip cef
ip domain name cursist.be
ipv6 unicast-routing
ipv6 cef
!
!
!
!
archive
log config
  logging enable
path flash: config-R2.standard.running
username user privilege 15 secret $ 5 $ 1 $ SQFs zojYx5GmAMV.1q33BwRxu0
username Cisco privilege 15 secret $ 5 $ 1 $ CdKz SOMtjCVR5AO6GW6Ug23Rq /
!
!
ip ssh rsa keypair-name ************
ip ssh version 2
ip scp server enable
!
!
crypto isakmp policy 10000
ENCR aes 256
authentication pre-share
Group 16
crypto isakmp key address Cisco123 ***************
!
!
crypto ipsec transform-set 10000 ah-sha-hmac esp-aes 256 esp-sha-hmac comp-LZS
!
crypto map ipsec-isakmp R2.CMAP 10000
set peer *****************
set transform-set 10000
set pfs group16
match address VPN
qos pre-classify
!
!
!
!
!
interface BRI0
no ip address
encapsulation HDLc
shutdown
ISDN termination multidrop
!
!
interface FastEthernet0
!
!
Interface FastEthernet1
!
!
Interface FastEthernet2
!
!
Interface FastEthernet3
!
!
Interface FastEthernet4
!
!
Interface FastEthernet5
!
!
Interface FastEthernet6
!
!
Interface FastEthernet7
!
!
Interface FastEthernet8
description WAN
ip address dhcp client-id FastEthernet8
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description WAN
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map R2.CMAP
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
Unnumbered Vlan1 ip
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switch port mode trunk
!
!
interface Vlan1
ip address 20.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
Interface Vlan2
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list acl interface GigabitEthernet0 overload
ip nat inside source static tcp 10.10.10.1 22 interface GigabitEthernet0 4000
ip nat inside source static tcp 20.20.20.1 22 interface GigabitEthernet0 5000
!
ip access-list extended ACL
deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
deny tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Any permit ip 10.10.10.0 0.0.0.255
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
no cdp run

!
!
!
!
!
!
control-plane
!
!
^ C
!
line con 0
Line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin ssh udptn
line aux 0
line vty 0 4
privilege level 15
password *********
transport input telnet ssh
line vty May 1915
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000

okay that's good but can I be able to ping the VPN to another router to let you know how you

Hi Guys,

    I'm afriad that you didn't apply the ACL on the interface. Are you using ethernet switch module on the router? Please tell us a bit more detail.

If users in VLAN1 are not allowed to ping Interface-VLAN1 and Interface VLAN2 , you should do as follows:

!

ip access-list extended VLAN1-NO-PING-GW

deny icmp 20.20.20.0 0.0.0.255 host 20.20.20.1

deny icmp 20.20.20.0 0.0.0.255 host 10.10.10.1

permit ip any any

!

interface vlan 1

ip access-group VLAN1-NO-PING-GW in

!

If users in VLAN2 are not allowed to ping Interface-VLAN2 and Interface VLAN1 , you should do as follows:

!

ip access-list extended VLAN2-NO-PING-GW

deny icmp 10.10.10.0 0.0.0.255 host 10.10.10.1

deny icmp 10.10.10.0 0.0.0.255 host 20.20.20.1

permit ip any any

!

interface vlan 2

ip access-group VLAN2-NO-PING-GW in

!

Hope I understood what you wanted. (grin)

Toshi

okay that's good but can I be able to ping the VPN to another router to let you know how you

Hi,

    First off, you need to provide us the remote network that you want to ping from your site. Your interesting traffic for site-to-site VPN is wrong.

!

ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

!

     It shoudn't be like you defined above. It might be something as follows:

     Note: xxxx is a remote site network.

!

ip access-list extended VPN-To-RemoteNetwork
permit ip 10.10.10.0 0.0.0.255 xxxx yyyy

permit ip 20.20.20.0 0.0.0.255 xxxx yyyy

!

crypto map ipsec-isakmp R2.CMAP 10000
match address VPN-To-RemoteNetwork

!

    You should deny VPN traffic on NAT overload statement as well.

!

ip access-list extended NAT-DENY-RemoteVPN
deny ip 10.10.10.0 0.0.0.255 xxxx yyyy

deny ip 20.20.20.0 0.0.0.255 xxxx yyyy

permit ip 10.10.10.0 0.0.0.255 any

permit ip 20.20.20.0 0.0.0.255 any

!

ip nat inside source list NAT-DENY-RemoteVPN interface GigabitEthernet0 overload

     Please let us know how things work out.

HTH,

Toshi

I can not help me because that's how she was hoping for my vpn so that their running-config

but continues to ping internally blocked

Hi,

   Keep in mind, site-to-site VPN needs to agree upon the policies on both sites. Time to read this document.

Ref : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Good Luck

Toshi

I have my VPN fine but it's the same IP address

Router 1
vlan 1 ip address 10.10.10.1
vlan 2 ip address 20.20.20.1

Router 2
vlan 1 ip address 20.20.20.1
vlan 2 ip address 10.10.10.1

Hi,

  I'm a bit surprised if your vpn is working with opverlapping networks on both sites with the exising configuration. I would design different networks for each site to do site-to-site VPN. If you want to do this the new configuration will have a long length of NAT statement and you're not gonna like it for sure.(grin)

HTH,

Toshi

No work not only

interface vlan 2 if I removed on both routers

how can you have 4 subnets and VPN

Hi,

   If I were you I would do as simple as I can.

SiteA : I would use 10.1.x.y network.

           Let's say 10.1.1.0/24 for VLAN1 and 10.1.2.0/24 for VLAN2

SiteB : I would use 10.2.x.y network.

            Let's say 10.2.1.0/24 for VLAN1 and 10.2.2.0/24 for VLAN2

  You can now do ACL policies and site-to-site VPN without any problem. I hope (grin)

Toshi