[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco Site to Site VPN Help

Posted on 2012-03-13
4
Medium Priority
?
492 Views
Last Modified: 2012-03-15
We have two sites that we would like to connect via site to site vpn. I have configured as much as I can by tutorials but seem to be stuck. Can anyone please review my attached config files and tell me what i'm lacking? It would be great if you could give examples by command example.

Site 1 (T)  - Main site
Local: 10.8.40.x
External IP in config listed as: T.T.T.T for security purposes.

Site 2 (C)
Local: 10.8.50.x
External IP in config listed as: C.C.C.C for security purposes.


**These two sites were at once both using local ip scheme of 10.8.146.x and were connected via a T1 line. We split this up into the two new schemes of 10.8.40.x and 10.8.50.x but currently there is still needed vendor equipement at both sites with 10.8.146.x IP scheme and I would like to allow communication between 10.8.146.x at both sites open as well if possible.
site1-T-.txt
site2-C-.txt
0
Comment
Question by:considerscs
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 37720047
Have you done any debugging yet?

Debug the isakmp and ipsec to see if you can get a clue to what is failing.
0
 
LVL 1

Author Comment

by:considerscs
ID: 37722554
If I run the debug crypto ipsec and debug crypto isakmp it says debugging is on but does not show any output. How do I get it to show output?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1800 total points
ID: 37722793
Your NAT acl is incorrect

ip access-list extended inside_to_outside
 deny   ip 10.8.30.0 0.0.0.255 10.8.146.0 0.0.0.255
 deny ip 10.8.40.0 0.0.0.255 10.8.50.0 0.0.0.255  <-- add this new line to match the crypto  match acl
 permit ip 10.8.146.0 0.0.0.255 any
 permit ip 10.8.40.0 0.0.0.255 any
 deny   ip 10.8.30.0 0.0.0.255 10.8.40.0 0.0.0.255 <-- this line need to be line #2 ^


You cannot have same IP subnet on both sides of an IPSEC VPN tunnel
Mirror the above acl on site 2
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 200 total points
ID: 37722879
If you are ssh/telnet in, you need to issue terminal monitor command to see the output.

When you are done you can issue
terminal no montitor
un all (turns off all debugging)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question