Cisco site to site VPN

matedwards
matedwards used Ask the Experts™
on

I need to set up a site-to-site vpn between two Cisco 877 ADSL modem/routers.
As is very common with Cisco the GUI utilities (SDM, SDM express) don't work.. both boxes will have a static xxxx.xxxx.xxxx.xxxx WAN IP address and with 10.10.0.xxxx/24 and 192.168.4.xxxx/24 LAN subnets at either end.

Can anyone help with the commands to do it in the CLI or even a text file with an example in..?

Any help would be greatly appreciated..?

Thanks  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
here is a standard ipsec solution. the access list will have to be modified to have he correct ip address range. if you don't want this type of tunnel and your router will support it i would say do a GRE tunnel with protection on. If you want i can post that if you don't like this solution.

point to point ipsec-tunnel

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key (secret) address (address)
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map IPSEC 1 ipsec-isakmp
 description Tunnel to (something)
 set peer (address)
 set transform-set ESP-3DES-SHA
 match address 107
!
int fa0/0
 ip address (ip) (mask)
no shut
ip nat outside
crypto map IPSEC

route-map RMAP_1 permit 1
 match ip address 104

ip nat inside source route-map RMAP_1 interface fa0/0 overload

access-list 104 deny   ip 10.135.0.0 0.0.0.255 10.248.3.0 0.0.0.255
access-list 104 permit ip 10.135.0.0 0.0.0.255 any
access-list 107 permit ip 10.135.0.0 0.0.255.255 10.248.3.0 0.0.0.255

Author

Commented:

thanks cosmicfox..

What would be the advantage of a GRE tunnel with protection on..?

gre allows you to put routing protocol traffic over the vpn, along with other advantages. here is a link to it, if your router supports it. http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:


Thanks agaoin cosmicfox.. we have reset the Cisco 877 to factory defaults and now cannot access either box.. Cisco have insisted we take out a service contract, costing £1000s, to send us the firmware the units came with..??!!
 We are inches away from binning them both and buying a couple of Netgear.. I may have to abandon this question.. apologies again.. will post shorty..
how did you reset it? if you erased the startup config only then you don't need the firmware. Cisco will want a contract in order to help you. Can you get into the device via the console port? it's fine if you decide to switch there is a slight learning curve for cisco.

Author

Commented:

Thanks cosmic.. we managed to get some firmware off of our Cisco reseller.. we imported your text using the CLI and saved it to the startup config..  it then appeared in the Cisco SDM and we could see the entries.. the subnets can't ping each other at either end but the tunnel is up and that is another question.

thanks again..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial