Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
2
Replies

IPSec LAN-to-LAN (VPN3005 to IOS) Troubleshooting

ovieira
Level 1
Level 1

‎10-13-2005 06:32 AM - edited ‎02-21-2020 02:02 PM

Hi!

I'm having trouble deploying a LAN-to-LAN VPN/IPSec tunnel between a VPN3005 (v4.7) and a CS1721 IOS router (v 12.3.7). I believe it is a design thing. Both VPN3005 and the CS1721 have several LANs on their local network. What i want to do is for a particular IP network, from the CS1721 side, access Internet trough the VPN30005 (headquarters).

How are the LANs defined both on the VPN3005 and on the CS1721 (see example)?

VPN3005

LAN1 - 10.10.10.0/24

LAN2 - 10.10.20.0/24

PUBLIC IP - 200.200.200.1/30 - example

GW - 200.200.200.2 (Local Internet router)

CS1721

LAN1 - 10.100.10.0/24

LAN2 - 10.100.20.0/24

LAN3 - 192.168.10.0/24

I want that both LAN1 and LAN2 from CS1721 access Internet locally an LAN3 access Internet trough the VPN/IPsec tunnel.

Regards.

Labels:
0 Helpful
2 Replies 2

wong34539
Level 6
Level 6

‎10-19-2005 12:57 PM

Document provides an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS. Software and PIX. It is assumed that an attempt to configure IPsec is completed. Refer to Common IPsec Error Messages and Common IPSec Issues for more details

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2301/products_configuration_example09186a0080093f6b.shtml

0 Helpful

jackko
Level 7
Level 7

‎10-19-2005 05:27 PM

on the router:

access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list no_nat deny ip 192.168.10.0 0.0.0.255 any

access-list no_nat permit 10.100.10.0 0.0.0.255 any

access-list no_nat permit 10.100.20.0 0.0.0.255 any

access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list to_be_encrypted permit 192.168.10.0 0.0.0.255 any

on the concentrator, you can mirror the acl as above. i guess you'll also need to configure a default gateway for vpn tunnel.

go configuration > system > ip routing > default gateways, option "tunnel default gateway". the tunnel default gateway is usually an internal router behind the concentrator located in the lan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents