01-07-2011 03:27 AM - edited 02-21-2020 05:04 PM
I have a problem with my site IPSEC VPN tunnel to first I want to ping PC1 and PC2 that does not work how can you fix this?
01-26-2011 03:58 AM
Hi,
taken from your configs:
R1
ip nat inside source list 1 interface GigabitEthernet0 overload
access-list 1 permit 10.10.10.0 0.0.0.7 ------>NAT ACL
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255 ----->CRYPTO ACL
R2
ip nat inside source list 1 interface GigabitEthernet0 overload
access-list 23 permit 10.10.10.0 0.0.0.7 Where is ACL 1?
access-list 23 permit any ??
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255 ----->CRYPTO ACL
So on R1 you must NAT exempt traffic from 10.10.10.0 to 20.20.20.0
so the commands are:
-no access-list 1
-ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
permit ip 10.10.10.0 0.0.0.7 any
-no ip nat inside source list 1 interface gig0
-ip nat inside source list NAT interface gig0
Then you must change your crypto ACL:
-ip access-list extended 100
no 10
permit ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
On R2: create ACL for NAT where tou exempt 20.20.20.0 to 10.10.10.0
-ip access-list extended NAT
deny ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
permit ip 20.20.20.0 0.0.0.7 any
-no ip nat inside source list 1 interface gig0
-ip nat inside source list NAT interface gig0
Then change crypto ACL:
-ip access-list extended 100
no 10
permit ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
Regards.
Alain.
01-26-2011 06:34 AM
of PC1 that is connected to R1, R2 and I can ping to ip address to another, but different to that of PC2 associated with R2 and R1 can not ping to ip address to another
01-26-2011 10:56 AM
of PC1 that is connected to R1, R2 and I can ping to ip address to another, but different to that of PC2 associated with R2 and R1 can not ping to ip address to another
I don't understand anything in this phrase
You wanna ping from one LAN to the other,ok? what is not working? have you tried what I posted above?
Regards.
alain.
01-26-2011 11:24 AM
I can ping from R1 to R2 but otherwise not
01-26-2011 11:54 AM
ok but you don't want to ping from LAN to LAN? and you left the configs you posted.
Regards.
Alain.
01-26-2011 01:19 PM
01-27-2011 01:35 AM
Hi,
taken from your last configs:
R1
ip access-list extended NAT
permit ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
R2:
ip access-list extended NAT
deny ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
permit ip 20.20.20.0 0.0.0.7 any
permit ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
Can you confirm you want to ping from a PC on 10 subnet to a PC on 20 subnet and inversely?
ok if so on R1 change the permit to deny in NAT ACL and on R2 get rid of last line which has no use.
then try to ping from a PC in 10 subnet to a PC in 20 subnet and tell us if it works: ping ok and sh crypto ipsec sa shows packets decrypted and encrypted.
Regards.
Alain
01-27-2011 02:54 AM
01-27-2011 11:32 AM
Hi,
if you want your tunnel to come up when pinging from PC1 to PC2 then your crypto ACL referenced in crypto map must mention these subnets, which is not the case anymore as you put again the WAN subnet of your VPN peers as you did before.
The statements in your NAT ACL are in wrong order
SO what you did:
R1
ip access-list extended NAT
permit ip 10.10.10.0 0.0.0.7 any
deny ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
!
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255
R2
ip access-list extended NAT
permit ip 20.20.20.0 0.0.0.7 any
deny ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
!
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255
What you must do:
R1
ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
permit ip 10.10.10.0 0.0.0.7 any
!
access-list 100 permit ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
R2
ip access-list extended NAT
deny ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
permit ip 20.20.20.0 0.0.0.7 any
!
access-list 100 permit ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
Regards.
Alain.
01-28-2011 01:22 AM
01-28-2011 03:15 AM
look at ACL 100 on R1 the destination must be 20.20.20.0 0.0.0.7 and not 10.10.10.0 0.0.0.7
01-28-2011 03:48 AM
01-28-2011 05:03 AM
ok, so now the ACLs are all ok but I just noticed you've got no route statement in your configs?
you surely got one default from your ISP but you got none for traffic being tunneled so add ip route 20.20.20.0 255.255.255.248 94.227.156.186
and the same on R2 for 10 subnet: ip route 10.10.10.0 255.255.255.248 "R1 peer address".
Regards.
Alain.
01-28-2011 06:44 AM
aangeast that is okay, there's something to be changed, can not ping from R2 to a device that is connected to R1
01-28-2011 08:01 AM
ok so from PC1 subnet to PC2 subnet and inversely it is ok now?
but you can't ping from R2 to R1 subnet? if you don't specify source in your pings it will use the interface going to next-hop
so your WAN interface ip add as source but it will not use the tunnel as crypto ACL 100 denies it and no NAT will be involved
but the destination is a private address so not routeable over internet so the packet is dropped.
For this ping to be successful you must permit icmp traffic from public ip to the other LAN in the crypto ACL and mirror on other side
Is it clear enough?
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide