cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
423
Views
0
Helpful
2
Replies

1720 Site to Site VPN + Site internet access

zehren
Level 1
Level 1

Hi,

I would greatly appreciate any help on this matter.

I currently have 1720's at each site(Say westcoast/eastcoast). Each is connected to the Internet by ADSL. Eastcoast site will host a FTP and SMTP server and is subnetted 192.168.1.0. Westcoast site will just host a FTP server and is subnetted 192.168.2.0. Each site will also need access to the outside world.

Below is the faulty config....

Thanks

eastcoastRouter#show config

Using 2495 out of 29688 bytes

!

version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname eastcoastRouter

!

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip name-server 192.168.1.3

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key coolkey address 99.99.99.3

!

!

crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map cm-cryptomap local-address Ethernet0

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 99.99.99.3

set transform-set cm-transformset-1

match address 100

!

!

!

!

interface Ethernet0

description connected to Internet

ip address 200.150.100.50 255.255.255.252

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

crypto map cm-cryptomap

!

interface FastEthernet0

description connected to XXXXXXXXX

ip address 192.168.1.1 255.255.255.0

ip nat inside

speed auto

!

router rip

version 2

passive-interface Ethernet0

network 192.168.1.0

no auto-summary

!

ip nat pool VailRouter-natpool-1 200.150.100.50 200.150.100.50 netmask 255.255

.255.252

ip nat inside source list 1 pool VailRouter-natpool-1 overload

ip nat inside source static tcp 192.168.1.2 25 200.150.100.50 25 extendable

ip nat inside source static tcp 192.168.1.2 21 200.150.100.50 21 extendable

ip nat inside source static tcp 192.168.1.1 23 200.150.100.50 23 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 200.150.100.49

ip route 192.168.2.0 255.255.255.0 99.99.99.3

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 200.150.100.48 0.0.0.3 99.99.99.1 0.0.0.3

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

!

2 Replies 2

Iske
Level 1
Level 1

sometimes i've had problems with

networks in 'crypto' access-lists

try perm ip ho 200.150.100.50 ho 192.168.2.xxx

ddrodge
Level 1
Level 1

Hi,

I had to turn NAT off for the IPSEC tunnell for this to work. My C1720 router VPN template is copied below. This works for us. I have three (3) remote sites using C1720 VPN bundles to a C1720 VPN bundle at HQ. Internet is not currently allowed from the remote sites ( add www/port 80 in access-list 101) only the IPSEC tunnell and telnet access.

Hope this helps.

sh ru

Building configuration...

Current configuration : 2031 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router

!

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default local

enable secret 5 $1$9rb5$hk6VaA2RLx5pnj6fkl8ET1

enable password mccnew

!

username xxxxxxxxxx password 0 xxxxxxx

username xxxxxxxxx password 0 xxxxxxx

memory-size iomem 20

ip subnet-zero

!

!

no ip finger

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

no ip dhcp-client network-discovery

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key Keyword address (IP remote outside)

!

!

crypto ipsec transform-set trans1 esp-des esp-md5-hmac

!

crypto map intmap 1 ipsec-isakmp

set peer (IP remote outside)

set transform-set trans1

match address 120

!

!

!

!

interface Ethernet0

ip address (IP local outside)255.255.255.xxx

ip access-group 101 in

ip nat outside

no ip route-cache

no ip mroute-cache

shutdown

half-duplex

crypto map intmap

!

interface FastEthernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip route-cache

ip policy route-map napnat

no ip mroute-cache

shutdown

speed auto

full-duplex

!

ip nat inside source route-map nonat interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 (IP local outside gaetway)

ip route 192.168.2.0 255.255.255.0 (IP remote outside)

no ip http server

!

access-list 101 permit tcp any any eq telnet

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit icmp any any

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

!

route-map nonat permit 10

match ip address 102

!