Hi,

I don't actually have NAT setup as the interface is just for the S2S VPN, not using NAT at all... or do I need to enable NAT for the VPN to work?

Also, unsure if I need an incoming access list to allow the remote subnet into my Outside interface. If I don't have this,will it be allowed by default? e.g, if no incoming ACL is applied, does this mean all/any traffic can enter?

Ok, what is doing the VPN?

Router/ASA?

Can you paste all the crypto config (except passwords) and any NAT config and the relevant ACL's for me?

Jill

Hi Guys,

Below is the crypto config.

crypto isakmp policy 5

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key testvpn address 2.2.2.2

!

!

crypto ipsec transform-set TestTS esp-3des esp-md5-hmac

!

crypto map TestCMAP 5 ipsec-isakmp

set peer 2.2.2.2
set transform-set TestTS

match address interestingtraffic

ip access-list extended interestingtraffic

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

I have the following routes setup.

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 2.2.2.2 255.255.255.255 1.1.1.1

1.1.1.1 - is my outside interface. I have Inside interface on 10.10.10.0 network..

1.1.1.1 is your outside interface? 

Pls change this IP to the next hop IP.  Can you send me a show int for the outside and inside pls?

Yeah 1.1.1.1 is my outside int (i've just amended addresses to mask real ones).

Sorry, for the ip route I have

ip route 2.2.2.2 255.255.255.255 1.1.1.2

interface FastEthernet0/0

description ***Outside***

ip address 1.1.1.1 255.255.255.0

duplex auto

speed auto

crypto map TestCMAP

interface FastEthernet0/1

ip address 10.10.10.2 255.255.255.0

duplex auto

speed auto

Ok it all looks good to me, whats your problem? can you give a trace to a host on 20.20.20.0 from a client on 10.10.10.0.

What trace are you referring to?  A trace on from your router, you need to specifiy the source address as the inside if thats what your doing!

Simon

20.x.x.x is the other end of the VPN. I want to go from Site A (10.10.10.0 network) to Site B (20.20.20.0 network). Traffic should go over IPSEC tunnel.

So does my Default Gateway get used before the Crypto ACL?

I thought I need this Default Gateway, so I can route my non VPN traffic elsewhere? Any ideas where I'm going wrong?

When tracing route to the subnet on opposite end of VPN it goes to my Default Gateway instead of using VPN tunnel see below.

Protocol [ip]:

Target IP address: 20.20.20.20

Source address: 10.10.10.2

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 20.20.20.20

  1 10.10.10.1 44 msec 8 msec 0 msec

Hi Rudy,

What should I have in place of this then? I need anything trying to get to the 20.20.20.0 network to use the VPN..

try following command instead: ip route 0.0.0.0 0.0.0.0 1.1.1.2

Don't forget to configure the other side and mirror the "interesting traffic" access list to make sure you have traffic coming back from the other side.

To make things easier, try to check your basic connectivity between two sites before configuring the vpn then you know it is not a vpn issue.

Should have read;

Ip route 20.20.20.0 255.255.255.0 2.2.2.2

Jill