04-29-2010 10:24 AM - edited 03-21-2019 02:30 AM
guys,
i am having problem with the vpn setup. i am able to ping from a to b, but no the other way around. i have checked my access-list and vpn setup, and also reboot the unit, and no luck. any idea?
when i look at the access-list on site b, is shows that site a is hitting site b. but on side a is totally noting.
thank you...
site a:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address YYY no-xauth
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map site-to-site 1 ipsec-isakmp
description connection to queens office
set peer YYY
set transform-set vpnset
match address splittunnel
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip addressYYY 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map site-to-site
ip nat inside source list nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.3 192.168.10.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.10.0 0.0.0.252 any
ip access-list extended splittunnel
permit ip 192.168.20.0 0.0.0.255 any
permit icmp any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.20.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 216.211.192.128 0.0.0.127 any
access-list 104 permit ip 72.248.147.168 0.0.0.7 any
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp host 63.203.35.55 eq domain any
access-list 104 permit udp host 208.67.222.222 eq domain any
access-list 104 permit udp host 4.2.2.2 eq domain any
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
===================================================================================
site b
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address YYY no-xauth
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map site-to-site 1 ipsec-isakmp
description connecction to manhattan office
set peer YYY
set transform-set myset
match address splittunnel
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address YYY
ip access-group aclin in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map site-to-site
ip nat inside source list nat interface FastEthernet0/0 overload
ip access-list extended aclin
deny ip 10.1.10.0 0.0.0.3 any
deny ip 10.1.1.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 any
permit ip 216.211.192.128 0.0.0.127 any
permit ip 72.248.202.112 0.0.0.15 any
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
permit udp host 63.203.35.55 eq domain any
permit udp host 208.67.222.222 eq domain any
permit udp host 4.2.2.2 eq domain any
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.10.0 0.0.0.3 any
ip access-list extended splittunnel
permit ip 192.168.10.0 0.0.0.255 any
permit icmp any any
04-29-2010 02:11 PM
in your aclin access list there is a deny 192.168.0.0 0.0.0.255 command.
Are you seeing any counter increase in the ACL when the cimp is denied?
temporarily take out the inbound ACL from the outbound interfaces and see if the issue clears.
another option is to leverage GRE tunnels across the IPSEC. Gives a little more routing flexibility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide