Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
1
Replies

Site to site vpn woes

holloway5
Level 1
Level 1

‎09-28-2011 01:56 AM - edited ‎03-07-2019 02:28 AM

Hi, we've got a cisco 2801 in our head office and an asa5505 in our remote office.

H/o network is 192.168.24.0/24 and remote is 192.168.101.0/24. We have a server in head office which as a public IP natted to it (shown as !!!.!!!.40.69 in the config below). Problem is, this server can not get to the 101 network. Traceroute on the server tries to go out through the internet, rather than via the site to site link.

Can anyone advise, here's the cutdown config for the 2801

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key q**! address ***.ABC.DEF.39

!

!

crypto ipsec transform-set ASA-IPSEC esp-3des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer ***.ABC.DEF.39

set transform-set ASA-IPSEC

match address 101

interface FastEthernet0/0

description *** LAN ***

ip address 192.168.24.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

load-interval 60

duplex auto

speed auto

no cdp log mismatch duplex

ip nat inside source list 150 interface FastEthernet0/1 overload

ip nat inside source static 192.168.24.6 !!!.!!!.40.67

ip nat inside source static 192.168.24.14 !!!.!!!.40.69

ip nat inside source static tcp 192.168.24.20 8980 !!!.!!!.40.70 8980 extendable

ip nat inside source static 192.168.24.243 !!!.!!!.40.75

ip nat inside source static 192.168.24.92 !!!.!!!.40.77

ip nat inside source static tcp 192.168.24.3 80 !!!.!!!.40.78 80 extendable

ip nat inside source static tcp 192.168.24.3 443 !!!.!!!.40.78 443 extendable

ip nat outside source static tcp 192.168.24.26 80 !!!.!!!.40.73 80 extendable

ip nat outside source static tcp 192.168.24.26 443 !!!.!!!.40.73 443 extendable

!

ip access-list extended PROTECT

permit icmp any any

permit udp any host !!!.!!!.40.66 eq isakmp

permit udp any host !!!.!!!.40.66 eq non500-isakmp

permit esp any host !!!.!!!.40.66

permit udp any eq domain any

permit tcp any any established

permit tcp any eq ftp-data any syn

permit tcp any host !!!.!!!.40.68 eq 443

permit tcp any host !!!.!!!.40.69 eq ftp

permit udp any host !!!.!!!.40.69 eq isakmp

permit tcp any host !!!.!!!.40.69 eq 443

permit tcp any host !!!.!!!.40.69 eq 1723

permit tcp any host !!!.!!!.40.69 eq 22

permit tcp any host !!!.!!!.40.69 eq www

permit udp any host !!!.!!!.40.69 eq non500-isakmp

permit udp any host !!!.!!!.40.69 eq 1701

permit gre any host !!!.!!!.40.69

permit tcp any host !!!.!!!.40.73 eq www

permit tcp any host !!!.!!!.40.73 eq 443

permit tcp any host !!!.!!!.40.74 eq www

deny   ip any any

access-list 101 permit ip 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 110 permit ip host 192.168.24.10 any

access-list 111 permit ip 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 150 deny   ip 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 150 permit ip 192.168.24.0 0.0.0.255 any

snmp-server community public RO 23

!

route-map STATIC permit 10

match ip address 110 150

!

Labels:
0 Helpful
1 Reply 1

scater1983
Level 1
Level 1

‎09-30-2011 07:02 AM

Hi,

You need to append a route-map statement to the end of the static xlate. This tells the router not to process the static xlate if sending traffic back to clients across the VPN.

This following configuration should work for you.

*************

ip nat inside source static 192.168.24.14 !!!.!!!.40.69 route-map VPN_2_STATICS

ip access-list extended VPN_2_STATICS

10 deny ip 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255

20 permit ip any any

ip route-map VPN_2_STATICS permit 10

match ip address VPN_2_STATICS

Cheers,

scater1983

0 Helpful
Customers Also Viewed These Support Documents