1. Home
  2. Cisco Systems
  3. VPN lan to lan - works but does not

VPN lan to lan - works but does not

i have 2 pixes (501) and 1 pix is VPN serverThere is VPN site - to - site

i am trying to connect ftrom home connection is OK but i can not use Remote admin (like before) - before i had VPN server only - n site to site - i was doing the same things like www.cisco .cotutorial and does not work

this is my config

Office interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list 100 permit ip 192.168.1.0 255.255.255.0 50.50.67.112

255.255.255.240 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list 110 permit ip 192.168.1.0 255.255.255.0 50.50.67.112 255.255.255.240 ip local pool test 192.168.7.1-192.168.7.5 nat (inside) 0 access-list 100 ip address outside 60.60.192.18 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110 crypto map newmap 10 set peer 50.50.66.239 crypto map newmap 10 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ********* address 50.50.66.239 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup Mygroup address-pool test vpngroup Mygroup dns-server 192.168.1.2 vpngroup Mygroup wins-server 192.168.1.2 vpngroup Mygroup default-domain company.com.com vpngroup Mygroup idle-time 1800 vpngroup Mygroup password gr@ppl3

Office2

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list 100 permit ip 50.50.67.112 255.255.255.240 192.168.1.0

255.255.255.0 nat (inside) 0 access-list 100 ip address outside 50.50.66.239 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 100 crypto map newmap 10 set peer 60.60.192.18 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key ********* address 60.60.192.18 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400
Reply to
Robert
Loading thread data ...

ACL number doesnt macth ACL are wrong - do it like this : Allow the inside LAN to the other inside LAN. fx access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.1.0

255.255.255.240

OOPS

Here is the next problem - you use same LAN IP range on both sides. Get this right, by using fx 192.168.2.0 /24 on the other site and so on so your ACL will be access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.240 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.240

and reverse these ACL in the remote PIX's

Also Add "isakmp nat-t" for your VPN CLients And the "management-access inside" for the remote admin via the tunnels plus fx ssh 192.168.1.0 255.255.255.0 inside on the remote pix

Reply to
Martin Bilgrav

I am doing something wrong doe sot work

i copied config from

formatting link
and it does not work

Robert

Reply to
Robert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.