Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
5
Replies

Site to site VPN routing issue

Go to solution
toufikzemri
Level 1
Level 1

‎07-01-2012 06:24 AM

Hi,

I have site to site VPN from SR520 to SFsence VPN, the tunnel is up but I can't ping internal addresses from both site trace route terminate from my default gateway. Please help

Access list configuration:

access-list 100 permit ip 10.0.43.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

ip nat inside source route-map NONAT interface Dialer 0 overload

access-list 110 deny ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

access-list 110 permit ip 10.10.10.0 0.0.0.255 any

route-map NONAT permit 10

match ip address 110

Note: 10.0.43.0/24 remote site (SFsence)

10.10.10.0/29 local site Cisco SR520 router

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to toufikzemri

‎07-03-2012 10:58 AM

Glad to know everything is working now,

please mark the question as answered so future users can learn from this,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-01-2012 06:53 AM

i assume that acl 100 is your crypto ACL, it should only be the second line, and first line should be removed.

on SR520 router, should only have:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

On SF sense, should only have:

access-list 100 permit ip 10.0.43.0 0.0.0.255 10.10.10.0 0.0.0.255

0 Helpful

Go to solution
toufikzemri
Level 1
Level 1
In response to Jennifer Halim

‎07-01-2012 09:40 AM

Thanks Jennifer

I have don it but I end up with the following failure reason from the CCP troubleshooting:

The following source are routed through the crypto map interface:

1)255.255.255.255

2)127.0.0.0

3)10.0.43.0

Recommended action:

Go to configure>routing and correct the routing table.

Any idea?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to toufikzemri

‎07-01-2012 04:33 PM

Hello,

Can you share the following information:

     -show ip route

     -show run | sec crypto ( We only need to see the crypto map configuration)

     -show ip interface brief (We will need to check the local LAN Ip range

If there is any access-group applied to any interface please let us know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
toufikzemri
Level 1
Level 1
In response to Julio Carvajal

‎07-02-2012 06:17 PM

Thank you very much for your help the problem was access list denying the traffic it has been solved. Thanks again

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to toufikzemri

‎07-03-2012 10:58 AM

Glad to know everything is working now,

please mark the question as answered so future users can learn from this,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents