10-13-2005 06:32 AM - edited 02-21-2020 02:02 PM
Hi!
I'm having trouble deploying a LAN-to-LAN VPN/IPSec tunnel between a VPN3005 (v4.7) and a CS1721 IOS router (v 12.3.7). I believe it is a design thing. Both VPN3005 and the CS1721 have several LANs on their local network. What i want to do is for a particular IP network, from the CS1721 side, access Internet trough the VPN30005 (headquarters).
How are the LANs defined both on the VPN3005 and on the CS1721 (see example)?
VPN3005
LAN1 - 10.10.10.0/24
LAN2 - 10.10.20.0/24
PUBLIC IP - 200.200.200.1/30 - example
GW - 200.200.200.2 (Local Internet router)
CS1721
LAN1 - 10.100.10.0/24
LAN2 - 10.100.20.0/24
LAN3 - 192.168.10.0/24
I want that both LAN1 and LAN2 from CS1721 access Internet locally an LAN3 access Internet trough the VPN/IPsec tunnel.
Regards.
10-19-2005 12:57 PM
Document provides an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS. Software and PIX. It is assumed that an attempt to configure IPsec is completed. Refer to Common IPsec Error Messages and Common IPSec Issues for more details
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
10-19-2005 05:27 PM
on the router:
access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list no_nat deny ip 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list no_nat deny ip 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list no_nat deny ip 192.168.10.0 0.0.0.255 any
access-list no_nat permit 10.100.10.0 0.0.0.255 any
access-list no_nat permit 10.100.20.0 0.0.0.255 any
access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list to_be_encrypted permit 10.100.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list to_be_encrypted permit 10.100.20.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list to_be_encrypted permit 192.168.10.0 0.0.0.255 any
on the concentrator, you can mirror the acl as above. i guess you'll also need to configure a default gateway for vpn tunnel.
go configuration > system > ip routing > default gateways, option "tunnel default gateway". the tunnel default gateway is usually an internal router behind the concentrator located in the lan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: