10-12-2019 10:39 AM - edited 02-21-2020 09:46 PM
Hello guys.
I'm practicing IKEv1 tunnels and trying to set up an IPSec Tunnel to pass LAN traffic thru the tunnel between the 2 sites, and i also want the LAN network on each side to be able to reach "the internet", (i'm using nat overload for this).
The PCs on site 1 and site 2 are able to reach the internet but they cannot communicating between each other LAN networks.
I left the packet tracer file attached, please try to help me finding out what i'm missing.
Note: By "Internet" i mean IP 8.8.8.8 which is configured on the Internet Cloud.
Ping from Site1PC1 to Site2PC1
Packet Tracer PC Command Line 1.0
C:\>ping 192.168.20.1
Pinging 192.168.20.1 with 32 bytes of data:
Reply from 10.5.50.1: Destination host unreachable.
Reply from 10.5.50.1: Destination host unreachable.
Reply from 10.5.50.1: Destination host unreachable.
Reply from 10.5.50.1: Destination host unreachable.
Ping statistics for 192.168.20.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
HERE ARE MY CONFIGS:
Router Site 1
crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key MYKEY address 200.200.20.2 ! crypto ipsec transform-set MYTS esp-aes 256 esp-sha-hmac ! crypto map MYCRYMAP 10 ipsec-isakmp set peer 200.200.20.2 set transform-set MYTS match address 100 ! interface GigabitEthernet0/0/0 ip address 192.168.10.254 255.255.255.0 ip nat inside duplex auto speed auto ! interface GigabitEthernet0/0/1 ip address 189.150.50.2 255.255.255.252 ip nat outside duplex auto speed auto crypto map MYCRYMAP ! ip nat inside source list 1 interface GigabitEthernet0/0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 189.150.50.1 ! access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 |
Router Site 2
crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key MYKEY address 189.150.50.2 ! crypto ipsec transform-set MYTS esp-aes 256 esp-sha-hmac ! crypto map MYCRYMAP 10 ipsec-isakmp set peer 189.150.50.2 set transform-set MYTS match address 100 ! interface GigabitEthernet0/0/0 ip address 200.200.20.2 255.255.255.252 ip nat outside duplex auto speed auto crypto map MYCRYMAP ! interface GigabitEthernet0/0/1 ip address 192.168.20.254 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface GigabitEthernet0/0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 200.200.20.1 ! access-list 1 permit 192.168.20.0 0.0.0.255 access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 |
Thanks in advance!
Solved! Go to Solution.
10-12-2019 12:30 PM
10-12-2019 12:30 PM
10-12-2019 12:49 PM - edited 10-12-2019 12:51 PM
Hello RJI,
Your guess was right.
Site's 1 LAN traffic was being natted to reach the Internet even when trarffic wasn't ment to that, but the other Site's LAN.
I was able to figure it out like 30 min ago by inspecting the packets with the "simulation" packet tracer tool.
What also gave me a clue was that by enabling "debug crypto isakmp" on both Routers, i wasn't getting anything at all, which indicated that probably the ACL on the Cryptomap wasn't even matching.
Your response helped me a lot tho, i was still trying to figure out how to correct the NAT ACL! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide