02-09-2013 10:03 AM
Hello Experts,
I have been pulling my hair out "literally" trying to solve this VPN site to site issues, no matter what changes are make in regards to the crypto map, access list and static routes used. I am unable to route traffic via interesting traffic between sites in packet tracer.
Can anyone please take a look at this simulation and point me in the right direction ?
I have attached the packet tracer file to this discussion for you experts to have a look at
Thank you
02-09-2013 10:08 AM
Hi,
My wireshark identifiend the file extension belonging to it but cant open it. What exactly is there supposed to be in the file?
Generally I think "packet-tracer" refers to the command on the CLI and the ASDM side to test what ASA would do to certain traffic entering one of its interfaces. Or are we even talking about an ASA/PIX?
If you have such a output you could simply copy/paste it to this discussion.
- Jouni
02-09-2013 01:43 PM
Hi
This file is to be used with packet tracer...
I Have copied and pasted all configures for all routers...
The set-up is simple point to point with another router acting as the internet router to bridge both sites...
Site A configuration:
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key soggynappie address 210.10.10.4
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 210.10.10.4
set transform-set myset
match address 101
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 209.10.10.4 255.255.255.0
duplex auto
speed auto
ipv6 ospf cost 1
crypto map mymap
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.20.0 255.255.255.0 209.10.10.10
ip route 0.0.0.0 0.0.0.0 210.20.20.4
!
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
--------
INTERMEDIATORY ROUTER ACTING AS THE INTERNET BRIDGE
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet0/0/0
ip address 209.10.10.10 255.255.255.0
duplex auto
speed auto
!
interface Ethernet0/1/0
ip address 210.20.20.10 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
--------------
SITE B ROUTER "Peer site"
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key soggynappie address 209.10.10.4
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 209.10.10.4
set transform-set myset
match address 101
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 210.20.20.4 255.255.255.0
duplex auto
speed auto
ipv6 ospf cost 1
no cdp enable
crypto map mymap
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.10.0 255.255.255.0 210.20.20.10
ip route 0.0.0.0 0.0.0.0 209.10.10.4
!
!
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
----------------------------------
There you go....
I can get this working with using static routers directly pointing towards the next hop interface however this defeats the object of building a vpn tunnel...,.,
Any help would be great !!!!
Thank you
02-09-2013 02:51 PM
1.i can't see acl for traffic over internet
Site A:
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/1 overload
Site B:
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/1 overload
2. make route-map "vpn" and match acl 100 and outbound interface
Both sites:
route-map vpn permit 10
match ip address 102
set interface FastEthernet0/1
3. Delete static rotes, it's not jadi's way:)
02-16-2013 03:04 AM
Sorry for the delay,...
I have sorted this out myself... I did not add the static routes in for the next hop address....
I corrected the issues by utilizing a IGR protocol on all routers to advertise their networks... and hey presto it worked.
Thank you for your help
NR
02-16-2013 03:07 AM
you are welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide