Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
0
Helpful
2
Replies

IPSec VPN on UC540

todd.shipway
Level 1
Level 1

‎05-14-2011 09:04 AM - last edited on ‎03-25-2019 10:57 PM by Community Manager

I'm trying to get a site-to-site tunnel up between a UC540 and another device.  I've got the tunnel up and connected fine so my VPN settings are ok.  But no traffic is passing.  My cisco config is below and I've verified the remote sides config as well.  Is there an access list that I'm missing somewhere?

Local LAN: 192.168.1.0/24

Remote LAN: 192.168.0.0/24

Remote Peer: 9.9.9.9

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key keygoeshere address 9.9.9.9

!

!

crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac

!

crypto map VPNMAP 10 ipsec-isakmp

set peer 9.9.9.9

set transform-set VPNSET

match address 150

access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

access-list 104 permit ip host 9.9.9.9 any

interface FastEthernet0/0

crypto map VPNMAP

Labels:
0 Helpful
2 Replies 2

greenturtlesteak
Level 3
Level 3

‎05-14-2011 02:50 PM

Did you make sure to exclude traffic going between these subnets from NAT?

0 Helpful

ADAM CRISP
Level 4
Level 4

‎05-15-2011 05:22 AM

Hi,

You probably don't need this line,

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

Confirm you have IP routing via your WAN interfaces -

i.e. ip route 192.168.0.0 255.255.255.0 fa0/0

Also ensure, if you have an Access list protecting your WAN interface that you allow remote site IP sec traffic.

i.e. esp/ahp, udp 500

and then as suggested your nat rules

for example, if you have

ip nat inside source list 101 interface f0/0 over

then access list 101 could look something like

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.15.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any


Also, if you're using yout UC for voice and the VPN for voice, then make sure you access-list 150 includes the SCCP IP address of your UC as found under telephony-service. You may want to include your local voice subnet so that phones can send media directly between each other. if you don't want to do this, mark your remote phones as remote (mtp)

hope this helps.

Adam

0 Helpful
Customers Also Viewed These Support Documents