?
Solved

Cisco Site to Site VPN Help

Posted on 2012-03-13
4
Medium Priority
?
490 Views
Last Modified: 2012-03-15
We have two sites that we would like to connect via site to site vpn. I have configured as much as I can by tutorials but seem to be stuck. Can anyone please review my attached config files and tell me what i'm lacking? It would be great if you could give examples by command example.

Site 1 (T)  - Main site
Local: 10.8.40.x
External IP in config listed as: T.T.T.T for security purposes.

Site 2 (C)
Local: 10.8.50.x
External IP in config listed as: C.C.C.C for security purposes.


**These two sites were at once both using local ip scheme of 10.8.146.x and were connected via a T1 line. We split this up into the two new schemes of 10.8.40.x and 10.8.50.x but currently there is still needed vendor equipement at both sites with 10.8.146.x IP scheme and I would like to allow communication between 10.8.146.x at both sites open as well if possible.
site1-T-.txt
site2-C-.txt
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 37720047
Have you done any debugging yet?

Debug the isakmp and ipsec to see if you can get a clue to what is failing.
0
 
LVL 1

Author Comment

by:considerscs
ID: 37722554
If I run the debug crypto ipsec and debug crypto isakmp it says debugging is on but does not show any output. How do I get it to show output?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1800 total points
ID: 37722793
Your NAT acl is incorrect

ip access-list extended inside_to_outside
 deny   ip 10.8.30.0 0.0.0.255 10.8.146.0 0.0.0.255
 deny ip 10.8.40.0 0.0.0.255 10.8.50.0 0.0.0.255  <-- add this new line to match the crypto  match acl
 permit ip 10.8.146.0 0.0.0.255 any
 permit ip 10.8.40.0 0.0.0.255 any
 deny   ip 10.8.30.0 0.0.0.255 10.8.40.0 0.0.0.255 <-- this line need to be line #2 ^


You cannot have same IP subnet on both sides of an IPSEC VPN tunnel
Mirror the above acl on site 2
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 200 total points
ID: 37722879
If you are ssh/telnet in, you need to issue terminal monitor command to see the output.

When you are done you can issue
terminal no montitor
un all (turns off all debugging)
0

Featured Post

Limited time offer using promo code EXPERTS25

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through August 31, 2017, Experts Exchange members get 25% off the US7220 on the ATEN USA eShop using promo code EXPERTS25.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question