Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Cisco Site to Site VPN Help

Posted on 2012-03-13
4
Medium Priority
?
491 Views
Last Modified: 2012-03-15
We have two sites that we would like to connect via site to site vpn. I have configured as much as I can by tutorials but seem to be stuck. Can anyone please review my attached config files and tell me what i'm lacking? It would be great if you could give examples by command example.

Site 1 (T)  - Main site
Local: 10.8.40.x
External IP in config listed as: T.T.T.T for security purposes.

Site 2 (C)
Local: 10.8.50.x
External IP in config listed as: C.C.C.C for security purposes.


**These two sites were at once both using local ip scheme of 10.8.146.x and were connected via a T1 line. We split this up into the two new schemes of 10.8.40.x and 10.8.50.x but currently there is still needed vendor equipement at both sites with 10.8.146.x IP scheme and I would like to allow communication between 10.8.146.x at both sites open as well if possible.
site1-T-.txt
site2-C-.txt
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 37720047
Have you done any debugging yet?

Debug the isakmp and ipsec to see if you can get a clue to what is failing.
0
 
LVL 1

Author Comment

by:considerscs
ID: 37722554
If I run the debug crypto ipsec and debug crypto isakmp it says debugging is on but does not show any output. How do I get it to show output?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1800 total points
ID: 37722793
Your NAT acl is incorrect

ip access-list extended inside_to_outside
 deny   ip 10.8.30.0 0.0.0.255 10.8.146.0 0.0.0.255
 deny ip 10.8.40.0 0.0.0.255 10.8.50.0 0.0.0.255  <-- add this new line to match the crypto  match acl
 permit ip 10.8.146.0 0.0.0.255 any
 permit ip 10.8.40.0 0.0.0.255 any
 deny   ip 10.8.30.0 0.0.0.255 10.8.40.0 0.0.0.255 <-- this line need to be line #2 ^


You cannot have same IP subnet on both sides of an IPSEC VPN tunnel
Mirror the above acl on site 2
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 200 total points
ID: 37722879
If you are ssh/telnet in, you need to issue terminal monitor command to see the output.

When you are done you can issue
terminal no montitor
un all (turns off all debugging)
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question