Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4738
Views
0
Helpful
17
Replies

Site to Site VPN help!

Chris Gabel
Level 1
Level 1

‎11-16-2011 09:20 PM

Hi,

I have been working on this for a couple days now and need some help.

I have a site to site VPN using two Cisco 2901 Routers. Example below. (IP's have been modified).

sitetositevpn.png

Cisco CCP verify's that I have an active vpn connection. I can ping from a client PC on R2 (192.168.2.21) to the internal address on R1 192.168.1.1

I can't ping any other address on the .1. side. (i.e. 192.168.1.2 - Server, 192.168.1.3 - WAP)

I can't ping anything on the .2. network from a client on .1 side.

I checked both routers and they are identical.

Seems like possibly a acl problem but I'm stumped.

I attached both configurations. (IP's modified). Both routers also have a VPN-Client setup but I don't believe that should affect it.

Let me know if you need any show crytos

Thanks

Labels:
117239-R1.txt.zip
117238-R2.txt.zip
0 Helpful
17 Replies 17

athukral
Level 1
Level 1
In response to Chris Gabel

‎12-06-2011 01:09 AM

Hello Chris,  hope you must be doing fine!  have you got the response or you still looking for further response.   Please mark this as answered  and also rate the discussion incase your query is resolved.  Appreciate your time.  Regards,  Ankur   Community Manager: Security and VPN

0 Helpful

Harish Inuganti
Level 1
Level 1
In response to athukral

‎05-23-2012 08:40 AM

Hello. I am working on getting site to site vpn tunnel built between a 2811 router and UC-540. I have some issues with defining access-lists. The private ip's on both the ends are in same range. Not sure on how to define access-lists and got an error while defining these access-lists.

2811 privae ip's- 10.1.0.0 0.0.255.255, 192.168.0.0 0.0.255.255

UC-540 private ip's- 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255

Ho can i define valid access-lists in this case.

As of now i tried doing this

ip access-list extended VPN_To_XXXXX_Allowed

permit ip 192.168.0.0 0.0.255.255 10.1.1.0 0.0.0.255

permit ip 10.1.0.0 0.0.255.255 10.1.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.255.255 192.168.10.0 0.0.0.255

permit ip 10.1.0.0 0.0.255.255 192.168.10.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 10.1.1.0 0.0.0.255 10.1.0.0 0.0.255.255

permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.10.0 0.0.0.255 10.1.0.0 0.0.255.255

deny   ip any any

0 Helpful

Chris Gabel
Level 1
Level 1
In response to Harish Inuganti

‎07-10-2012 12:32 PM

Didn't notice your question Harish sorry for the late reply. I'm not sure if this is your problem but I had to make the private LAN IP's in a different range for it to work properly for me. (I.e. 10.1.0.0 and 10.1.1.0)

0 Helpful
Customers Also Viewed These Support Documents