871 ISR Site to Site

dangeriscoupe1 · ‎12-05-2013

I was tasked on building a Site to Site with a partner vendor and after exchanging information such as peer address, PSK, etc, I started to build my end of the tunnel. The way the topology is setup is that I have an 871 ISR behind a broadband business class router that currently is allowing unrestricted access out to the internet. After configuring the tunnel, I can't seem to ping my peer address when I apply access-list 100 to the int fa4 (outside WAN) but I can ping when access-list 102 is applied. Am I doing something wrong? Would be great if someone out there can give me some feedback on this Below is the commands I implemented on the router: Thanks in advanced guys!

My Internal = 172.28.3.1/24

My Public = 50.243.50.102

Peer Internal = 206.53.227.250

Peer Public = 206.53.227.24

access-list 100 permit ip 172.28.3.0 0.0.0.255 206.53.227.240 0.0.0.15

access-list 100 deny ip any any

ip nat inside source list 100 in interface FastEthernet4 overload

crypto isakmp policy 10

encryption 3des

hash sha

group 2

crypto isakmp key <Key> address 206.53.227.24

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer 206.53.227.24

set transform-set myset

match address 100

interface FastEthernet4

ip nat outside

crypto map mymap

Karsten Iwen · ‎12-05-2013

The crypto-ACL that defines the traffic that should be sent through VPN is not ment to be applied to an interface. The Interface-ACL should include anything you had before in the ACL and the IPSec-Traffic between the two peers (IP/50 and UDP/500).

Here is an example for the interface-ACLs: https://supportforums.cisco.com/docs/DOC-38580

Sent from Cisco Technical Support iPad App