VPN lan to lan - works but does not

Discussion in 'Cisco' started by Robert, Jan 18, 2006.

  1. Robert

    Robert Guest

    i have 2 pixes (501) and 1 pix is VPN serverThere is VPN site - to - site

    i am trying to connect ftrom home
    connection is OK but i can not use Remote admin (like before) - before i
    had VPN server only - n site to site - i was doing the same things like
    www.cisco .cotutorial and does not work


    this is my config

    Office
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list 100 permit ip 192.168.1.0 255.255.255.0 50.50.67.112
    255.255.255.240
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    255.255.255.0
    access-list 110 permit ip 192.168.1.0 255.255.255.0 50.50.67.112
    255.255.255.240
    ip local pool test 192.168.7.1-192.168.7.5
    nat (inside) 0 access-list 100
    ip address outside 60.60.192.18 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set myset
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110
    crypto map newmap 10 set peer 50.50.66.239
    crypto map newmap 10 set transform-set myset
    crypto map newmap 20 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ********* address 50.50.66.239 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup Mygroup address-pool test
    vpngroup Mygroup dns-server 192.168.1.2
    vpngroup Mygroup wins-server 192.168.1.2
    vpngroup Mygroup default-domain company.com.com
    vpngroup Mygroup idle-time 1800
    vpngroup Mygroup password gr@ppl3

    Office2

    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list 100 permit ip 50.50.67.112 255.255.255.240 192.168.1.0
    255.255.255.0
    nat (inside) 0 access-list 100
    ip address outside 50.50.66.239 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 100
    crypto map newmap 10 set peer 60.60.192.18
    crypto map newmap 10 set transform-set myset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ********* address 60.60.192.18 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
     
    Robert, Jan 18, 2006
    #1
    1. Advertising

  2. "Robert" <> wrote in message
    news:44yzf.59180$...

    > access-list 110 permit ip 192.168.1.0 255.255.255.0 50.50.67.112
    > 255.255.255.240


    > nat (inside) 0 access-list 100


    ACL number doesnt macth
    ACL are wrong - do it like this :
    Allow the inside LAN to the other inside LAN.
    fx
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.1.0
    255.255.255.240


    OOPS

    Here is the next problem - you use same LAN IP range on both sides.
    Get this right, by using fx 192.168.2.0 /24 on the other site and so on
    so your ACL will be
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.240
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.240

    and reverse these ACL in the remote PIX's

    Also Add "isakmp nat-t" for your VPN CLients
    And the "management-access inside" for the remote admin via the tunnels
    plus fx ssh 192.168.1.0 255.255.255.0 inside on the remote pix



    > ip address outside 60.60.192.18 255.255.255.240
    > ip address inside 192.168.1.1 255.255.255.0
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 30 set transform-set myset
    > crypto map newmap 10 ipsec-isakmp
    > crypto map newmap 10 match address 110
    > crypto map newmap 10 set peer 50.50.66.239
    > crypto map newmap 10 set transform-set myset
    > crypto map newmap 20 ipsec-isakmp dynamic dynmap
    > crypto map newmap interface outside
    > isakmp enable outside
    > isakmp key ********* address 50.50.66.239 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup Mygroup address-pool test
    > vpngroup Mygroup dns-server 192.168.1.2
    > vpngroup Mygroup wins-server 192.168.1.2
    > vpngroup Mygroup default-domain company.com.com
    > vpngroup Mygroup idle-time 1800
    > vpngroup Mygroup password gr@ppl3
    >
    > Office2
    >
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > access-list 100 permit ip 50.50.67.112 255.255.255.240 192.168.1.0
    > 255.255.255.0
    > nat (inside) 0 access-list 100
    > ip address outside 50.50.66.239 255.255.255.0
    > ip address inside 192.168.1.1 255.255.255.0
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-3des esp-md5-hmac
    > crypto map newmap 10 ipsec-isakmp
    > crypto map newmap 10 match address 100
    > crypto map newmap 10 set peer 60.60.192.18
    > crypto map newmap 10 set transform-set myset
    > crypto map newmap interface outside
    > isakmp enable outside
    > isakmp key ********* address 60.60.192.18 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    >
    >
     
    Martin Bilgrav, Jan 20, 2006
    #2
    1. Advertising

  3. Robert

    Robert Guest

    Robert, Jan 23, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Wilson

    Wireless router works, but one with wires does not, why?

    John Wilson, Dec 1, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    2,976
    John Wilson
    Dec 2, 2005
  2. Thomas J.
    Replies:
    3
    Views:
    658
    Toolman Tim
    May 3, 2004
  3. ruud
    Replies:
    0
    Views:
    1,240
  4. Adriano
    Replies:
    1
    Views:
    962
    mark mandel
    Dec 15, 2003
  5. Fogar
    Replies:
    1
    Views:
    805
    Erick
    Jan 17, 2006
Loading...

Share This Page