You may have solved a problem for me. I'll have to look at the solution for getting to a statically mapped host.
One last tiny issue. On RouterBO it's default route is to int E0. I've read that with that config the router will arp for all Internet addresses. Better to use the address of the interface of the far router. > -----Original Message----- > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 22, 2002 5:10 PM > To: [EMAIL PROTECTED] > Subject: RE: Router to Router VPNs- Longish [7:42245] > > > The crypto map name inconsistency was actually left over from > my clean-up of > the config in the text editor. > > It was ramco-vpn, but I shortened it for simplicity of typing :) > > When I do my configs, I try to be as descriptive as possible with > access-list names, crypto maps, etc. to maintain a flow of > understanding for > what is going on in the config... > > after trialing things a dozen times over, I started > shortening my naming > convention for typing sake... but make sure that the > references all match > up. > > the ip policy route-map nonat line was also left over from > the example I > got from cco, where the nonat route-map also has a 'set > next-hop 1.1.1.2', > referencing the fact that that was a fix for a problem with > getting to a > Staticly Nated WWW host. The contents of access-list 123 > actually was the > contents of acl 122, and 123 was referencing the ip host www. > > -Mark > > -----Original Message----- > From: Daniel Cotts [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 22, 2002 4:51 PM > To: 'Mark Odette II'; [EMAIL PROTECTED] > Subject: RE: Router to Router VPNs- Longish [7:42245] > > > Interesting about the IOS version. > When I looked at your configs what jumped out was that the > transform name > was "vpn" and the crypto map was named "ramco-vpn" yet the > crypto map name > applied to the outside interfaces was "vpn". I'd expect "ramco-vpn". > Also on RouterHQ Fa0 I didn't understand why the line "ip > policy route-map > nonat" was there. > Glad that you got it working. > > > -----Original Message----- > > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > > Sent: Monday, April 22, 2002 2:58 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Router to Router VPNs- Longish [7:42245] > > > I was using 12.2.8T, and then tried 12.2.8T1 on the 1720, > > with 12.2.6c on > > the other end. > > > > I decided that maybe I should try making both ends run the > > same version of > > IOS as much as possible, so I roll back the 1720 to > > 12.1.5YB5, and planned > > to roll back the other end too to 12.1.5. > > Just for grins, I try my extended ping again to see if the > > tunnel will come > > up and allow successful traffic back-n-forth. > > Wouldn't you know it, the silly thing works now! > > > > So, a word to the wise for those wanting to do a VPN between > > a 1700 series > > router and anything else.... Stay away from 12.2.8 code!! > > > > now to "burn-test" the config and see how stable the VPN stays. :) > > > -----Original Message----- > > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > > Sent: April 22, 2002 10:52 > > To: [EMAIL PROTECTED] > > Subject: Router to Router VPNs- Longish [7:42245] > > > > > > Hey folks, I am in a quandary, and am wondering if someone on > > the list has > > done this and figured out a working config. > > > > I've been challenged with putting a VPN together between two > > sites, and it > > shouldn't be a problem, as it seems to be a straight forward > > config, and > > I've used the example off of CCO. > > > > The problem is, I can't seem to pass traffic successfully > > across the VPN. :( > > > > Attached is the config for both ends of the network setup. > > As far as I > > know, as long as I've met the following criteria, this should work: > > > > 1. Both ends have to have a public static address for at > > least the Router. > > 2. Either end can have a static NAT for an extra inside host, > > such as a WWW > > server. 3. The VPN tunnel should work, no matter what type of > > "outside" > > interface the Crypto map is applied to; if regular private to > > public net > > connectivity works using NAT Overload, then End to End Tunnel > > termination > > should work so long as the access-lists are done right. > > > > > And... this is what I've done for my Routers: > > > > RouterHQ# > > > > version 12.2 > ! crypto > > isakmp policy 10 > > hash md5 authentication pre-share crypto isakmp key vpn address > > yy.yy.yy.220 ! ! crypto ipsec transform-set vpn esp-des > esp-md5-hmac ! > > crypto map ramco-vpn 10 ipsec-isakmp set peer yy.yy.yy.220 set > > transform-set vpn match address 101 ! ! bridge irb ! ! > > > ! > > interface FastEthernet0 > > description connected to Private LAN Block > > ip address 192.168.10.1 255.255.255.0 > > ip directed-broadcast > > ip nat inside > > ip policy route-map nonat > > no ip mroute-cache > > no keepalive > > speed auto > > full-duplex > > ! > > interface BVI1 > > mtu 1492 > > ip address xx.xx.xx.121 255.255.255.248 > > ip nat outside > > crypto map vpn > > ! > > ip nat inside source route-map nonat interface BVI1 overload > > ip nat inside source static 192.168.10.122 xx.xx.xx.122 > > extendable ip nat > > inside source static 192.168.10.6 xx.xx.xx.124 extendable ip > > classless ip > > route 0.0.0.0 0.0.0.0 xx.xx.xx.126 (ISP END of circuit) no ip > > http server ! > > ! logging history debugging logging trap debugging > > access-list 101 permit ip > > 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 > > access-list 123 deny ip 192.168.10.0 0.0.0.255 > 192.168.1.0 0.0.0.255 > > access-list 123 permit ip 192.168.10.0 0.0.0.255 any > > ! > > route-map nonat permit 10 > > match ip address 123 > > > and the other end of the tunnel..... > > > > RouterBO# > > version 12.2 > > > crypto isakmp policy 10 > > hash md5 > > authentication pre-share > > crypto isakmp key vpn address xx.xx.xx.121 > > ! > > ! > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > > ! > > crypto map ramco-vpn 10 ipsec-isakmp > > set peer xx.xx.xx.121 > > set transform-set vpn > > match address 110 > > ! > > ! > > ! > > ! > > interface Ethernet0 > > ip address yy.yy.yy.220 255.255.252.0 > > ip nat outside > > ip route-cache same-interface > > crypto map vpn > > ! > > interface Ethernet1 > > description connected to LAN > > ip address 192.168.1.1 255.255.255.0 > > ip nat inside > > ! > > router rip > > version 2 > > passive-interface Ethernet0 > > network 192.168.1.0 > > no auto-summary > > ! > > ip nat pool 2514-nat-pool yy.yy.yy.220 yy.yy.yy.220 netmask > > 255.255.252.0 ip > > nat inside source route-map nonat pool 2514-nat-pool overload > > ip classless > > ip route 0.0.0.0 0.0.0.0 Ethernet0 no ip http server ! > logging history > > debugging logging trap debugging logging source-interface Ethernet0 > > access-list 110 permit ip 192.168.1.0 0.0.0.255 > 192.168.10.0 0.0.0.255 > > access-list 150 deny ip 192.168.1.0 0.0.0.255 > 192.168.10.0 0.0.0.255 > > access-list 150 permit ip 192.168.1.0 0.0.0.255 any > > route-map nonat permit 10 > > match ip address 150 > > > > > Any insight/help you can provide would be greatly appreciated. > > > > Thanks, > > Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42281&t=42245 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
