05-14-2011 09:04 AM - last edited on 03-25-2019 10:57 PM by ciscomoderator
I'm trying to get a site-to-site tunnel up between a UC540 and another device. I've got the tunnel up and connected fine so my VPN settings are ok. But no traffic is passing. My cisco config is below and I've verified the remote sides config as well. Is there an access list that I'm missing somewhere?
Local LAN: 192.168.1.0/24
Remote LAN: 192.168.0.0/24
Remote Peer: 9.9.9.9
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key keygoeshere address 9.9.9.9
!
!
crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 9.9.9.9
set transform-set VPNSET
match address 150
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip host 9.9.9.9 any
interface FastEthernet0/0
crypto map VPNMAP
05-14-2011 02:50 PM
Did you make sure to exclude traffic going between these subnets from NAT?
05-15-2011 05:22 AM
Hi,
You probably don't need this line,
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
Confirm you have IP routing via your WAN interfaces -
i.e. ip route 192.168.0.0 255.255.255.0 fa0/0
Also ensure, if you have an Access list protecting your WAN interface that you allow remote site IP sec traffic.
i.e. esp/ahp, udp 500
and then as suggested your nat rules
for example, if you have
ip nat inside source list 101 interface f0/0 over
then access list 101 could look something like
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Also, if you're using yout UC for voice and the VPN for voice, then make sure you access-list 150 includes the SCCP IP address of your UC as found under telephony-service. You may want to include your local voice subnet so that phones can send media directly between each other. if you don't want to do this, mark your remote phones as remote (mtp)
hope this helps.
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide