09-09-2013 02:53 AM
I am trying to setup a VPN connection between two sites. The remote site is a 3650 switch connecting to a Palo alto firewall. I can bring up the VPN with no problems but I am unable to send traffic over the VPN.
Here is the config from the Cisco switch
crypto isakmp policy 10
<removed>
<removed>
<removed>
crypto isakmp key xxxxxxxx address 10.1.1.252
!
crypto ipsec transform-set myset <removed>
!
crypto map GNFVPN 10 ipsec-isakmp
set peer 10.1.1.252
set transform-set myset
<removed>
match address VPN-Traffic
!
interface Vlan41
ip address 10.10.0.70 255.255.255.192
crypto map GNFVPN
!
interface Vlan100
ip address 10.20.0.1 255.255.248.0
!
ip access-list extended VPN-Traffic
permit ip 10.20.0.0 0.0.255.255 any log
!
ip route 0.0.0.0 0.0.0.0 10.10.0.65
When I ping an address that should go over the VPN from 10.10.0.70 I see a log message that says traffic has hit the ACL and it goes over the VPN. When I try from a PC in Vlan 41 I see nothing and it goes out on the correct interface but not within the VPN.
Any help would be great!
09-09-2013 03:06 AM
Hi,
you must create an rule that traffic from vlan 41 will be permit through the VPN tunnel. dont forget the exampt nat for vlan 41 for vpn use.
Regards
Markus
09-09-2013 03:17 AM
Thanks for your reply.
There is already an ACL applied.
ip access-list extended VPN-Traffic
permit ip 10.20.0.0 0.0.255.255 any log
This covers a number of other vlan's that are not in the config above.
This is a a LAN-to-LAN VPN where we do not NAT any of the IP addresses.
09-09-2013 03:29 AM
So the VPN tunnel go not through the internet?
This configuration is for Vlan 41????????
"
ip access-list extended VPN-Traffic
permit ip 10.20.0.0 0.0.255.255 any log
"
09-09-2013 04:32 AM
No this VPN does not go over the internet.
We have 4 vlan's on this network that needs to go over the VPN and is covered by the ACL 'VPN-Traffic'. The default route is for all traffic to go out on VLAN 41.
Whe I ping a PC with a source IP address of Vlan100 (10.20.0.1) it goes over the VPN with no problems. When I try to ping from a PC on Vlan100 with an IP address of 10.20.0.250 it just goes out on the interface but no over the VPN.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: