In your crypto map you need to call an access-list. In your ACL specify what traffic you want to encrypt.
crypto map myvpn 10 ipsec-isakmp match address myvpn ip access-list extended myvpn permit ip 10.1.0.0 0.0.255.255 10.11.0.0 0.0.255.255 Daniel Ladrach CCNA, CCNP WorldCom > -----Original Message----- > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 22, 2002 1:52 PM > To: [EMAIL PROTECTED] > Subject: Router to Router VPNs- Longish [7:42245] > > > Hey folks, I am in a quandary, and am wondering if someone on > the list has > done this and figured out a working config. > > I've been challenged with putting a VPN together between two > sites, and it > shouldn't be a problem, as it seems to be a straight forward > config, and > I've used the example off of CCO. > > The problem is, I can't seem to pass traffic successfully > across the VPN. :( > > Attached is the config for both ends of the network setup. > As far as I > know, as long as I've met the following criteria, this should work: > > 1. Both ends have to have a public static address for at > least the Router. > 2. Either end can have a static NAT for an extra inside host, > such as a WWW > server. > 3. The VPN tunnel should work, no matter what type of > "outside" interface > the Crypto map is applied to; if regular private to public > net connectivity > works using NAT Overload, then End to End Tunnel termination > should work so > long as the access-lists are done right. > > This being said, this is what I got from CCO: > > ASCII Diagram of network scenario > > LAN(192.168.10.0) -- RouterHQ --(WIC1-ADSL) DSL --Internet-- > SL --RouterBranchOffice--LAN (192.168.1.0) > > RouterHQ is assigned 5 public IPs, one assigned to the > Router, 1 assigned to > WWW Host via Static NAT > > RouterBO is assigned on public IP, which is assigned to the > Router, with NAT > Overload running for the hosts on the private LAN. > > * The description and ASCII art has been slightly modified > from the CCO > example only to use a WIC-1ADSL as the "Outside" interface on > the HQ Router, > rather than Ethernet Interfaces. > > Config From CCO: > Daphne# > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname Daphne > ! > memory-size iomem 10 > ip subnet-zero > ip audit notify log > ip audit po max-events 100 > ! > !--- IKE policies: > crypto isakmp policy 10 authentication pre-share > crypto isakmp key ciscokey address 100.1.1.2 > crypto ipsec transform-set to_fred esp-des esp-md5-hmac > !--- IPSec policies: > crypto map myvpn 10 ipsec-isakmp > set peer 100.1.1.2 > set transform-set to_fred > !--- Include the private-network-to-private-network traffic > !--- in the > encryption process: match address 101 > ! > controller T1 0/0 shutdown > ! > controller T1 0/1 shutdown > ! > interface Loopback0 > ip address 1.1.1.1 255.255.255.0 > ! > interface Ethernet0/0 > ip address 10.1.1.1 255.255.255.0 > ip Nat inside ip route-cache policy > ip policy route-map nonat > ! > interface Ethernet0/1 > ip address 200.1.1.2 255.255.255.0 > ip Nat outside > crypto map myvpn > ! > !--- Except the private network from the NAT process: > ip Nat inside source list 122 interface Ethernet0/1 overload > ip Nat inside source static 10.1.1.3 200.1.1.25 > ip classless > ip route 0.0.0.0 0.0.0.0 200.1.1.1 > !--- Include the private-network-to-private-network traffic > !--- in the > encryption process: access-list 101 permit ip 10.1.1.0 > 0.0.0.255 172.16.1.0 > 0.0.0.255 > access-list 101 deny ip 10.1.1.0 0.0.0.255 any > !--- Except the private network from the NAT process: > access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 > access-list 122 deny ip host 10.1.1.3 any > access-list 122 permit ip 10.1.1.0 0.0.0.255 any > access-list 123 permit ip host 10.1.1.3 172.16.1.0 0.0.0.255 > dialer-list 1 protocol ip permit > dialer-list 1 protocol ipx permit > !--- Except the private network from the NAT process: > route-map nonat permit 10 > match ip address 123 > set ip next-hop 1.1.1.2 > ! > end > > Fred- Router Configuration > Fred# > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname fred > ! > memory-size iomem 10 > ip subnet-zero > ! > ip audit notify log > ip audit PO max-events 100 > ! > !--- IKE Policies: > crypto isakmp policy 10 authentication pre-share > crypto isakmp key ciscokey address 200.1.1.2 > !--- IPSec Policies: > crypto ipsec transform-set to_fred ESP-Des esp-md5-hmac > ! > crypto map myvpn 10 ipsec-isakmp > set peer 200.1.1.2 > set transform-set to_fred > !--- Include the private-network-to-private-network traffic > !--- in the > encryption process: match address 101 > ! > controller T1 1/0 shutdown > ! > controller T1 1/1 shutdown > ! > interface Ethernet0/0 > ip address 172.16.1.1 255.255.255.0 > ip Nat inside > ! > interface Ethernet0/1 > ip address 100.1.1.2 255.255.255.0 > ip Nat outside > crypto map myvpn > ! > !--- Except the private network from the NAT process: > ip Nat inside source list 175 pool interface Ethernet0/1 overload > ip classless > ip route 0.0.0.0 0.0.0.0 100.1.1.1 > ! > !--- Include the private-network-to-private-network traffic > !--- in the > encryption process: access-list 101 permit ip 172.16.1.0 > 0.0.0.255 10.1.1.0 > 0.0.0.255 > !--- Except the private network from the NAT process: > access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 > access-list 175 permit ip 172.16.1.0 0.0.0.255 any > ! > dialer-list 1 protocol ip permit > dialer-list 1 protocol ipx permit > ! > end > > > And... this is what I've done for my Routers: > > RouterHQ# > > version 12.2 > service timestamps debug datetime localtime show-timezone > service timestamps log datetime localtime show-timezone > no service password-encryption > ! > hostname RAMCO-Arlington > ! > logging count > logging buffered 4096 debugging > ! > memory-size iomem 25 > clock timezone CST -6 > clock summer-time CDT recurring > mmi polling-interval 60 > no mmi auto-configure > no mmi pvc > mmi snmp-timeout 180 > ip subnet-zero > ! > ! > ip domain-name ramco.com > ip name-server 198.6.1.2 > ! > ip audit notify log > ip audit po max-events 100 > ! > crypto isakmp policy 10 > hash md5 > authentication pre-share > crypto isakmp key vpn address yy.yy.yy.220 > ! > ! > crypto ipsec transform-set vpn esp-des esp-md5-hmac > ! > crypto map ramco-vpn 10 ipsec-isakmp > set peer yy.yy.yy.220 > set transform-set vpn > match address 101 > ! > ! > bridge irb > ! > ! > interface Loopback0 > ip address 1.1.1.1 255.255.255.0 > ! > interface ATM0 > mtu 1492 > no ip address > no atm ilmi-keepalive > pvc 0/35 > encapsulation aal5snap > ! > dsl operating-mode auto > no fair-queue > bridge-group 1 > hold-queue 224 in > ! > interface FastEthernet0 > description connected to Private LAN Block > ip address 192.168.10.1 255.255.255.0 > ip directed-broadcast > ip nat inside > ip policy route-map nonat > no ip mroute-cache > no keepalive > speed auto > full-duplex > ! > interface BVI1 > mtu 1492 > ip address xx.xx.xx.121 255.255.255.248 > ip nat outside > crypto map vpn > ! > ip nat inside source route-map nonat interface BVI1 overload > ip nat inside source static 192.168.10.122 xx.xx.xx.122 extendable > ip nat inside source static 192.168.10.6 xx.xx.xx.124 extendable > ip classless > ip route 0.0.0.0 0.0.0.0 xx.xx.xx.126 (ISP END of circuit) > no ip http server > ! > ! > logging history debugging > logging trap debugging > access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 123 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 123 permit ip 192.168.10.0 0.0.0.255 any > ! > route-map nonat permit 10 > match ip address 123 > ! > snmp-server manager > bridge 1 protocol ieee > bridge 1 route ip > ! > ! > ntp clock-period 17179944 > ntp server 192.5.5.250 > end > > and the other end of the tunnel..... > > RouterBO# > version 12.2 > service timestamps debug datetime localtime show-timezone > service timestamps log datetime localtime show-timezone > service password-encryption > ! > hostname RouterBO > ! > ! > clock timezone CST -6 > clock summer-time CDT recurring > ip subnet-zero > ip domain-name vpndemo.com > ip name-server 198.6.1.2 > ! > ip dhcp pool BigB-LAN > network 192.168.1.0 255.255.255.0 > dns-server 198.6.1.2 > domain-name vpndemo.com > netbios-name-server 192.168.1.10 > netbios-node-type h-node > default-router 192.168.1.1 > lease infinite > ! > ip ssh time-out 120 > ip ssh authentication-retries 3 > ip dhcp-server 192.168.1.1 > ! > crypto isakmp policy 10 > hash md5 > authentication pre-share > crypto isakmp key vpn address xx.xx.xx.121 > ! > ! > crypto ipsec transform-set vpn esp-des esp-md5-hmac > ! > crypto map ramco-vpn 10 ipsec-isakmp > set peer xx.xx.xx.121 > set transform-set vpn > match address 110 > ! > ! > ! > ! > interface Ethernet0 > ip address yy.yy.yy.220 255.255.252.0 > ip nat outside > ip route-cache same-interface > crypto map vpn > ! > interface Ethernet1 > description connected to LAN > ip address 192.168.1.1 255.255.255.0 > ip nat inside > ! > router rip > version 2 > passive-interface Ethernet0 > network 192.168.1.0 > no auto-summary > ! > ip nat pool 2514-nat-pool yy.yy.yy.220 yy.yy.yy.220 netmask > 255.255.252.0 > ip nat inside source route-map nonat pool 2514-nat-pool overload > ip classless > ip route 0.0.0.0 0.0.0.0 Ethernet0 > no ip http server > ! > logging history debugging > logging trap debugging > logging source-interface Ethernet0 > access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 > access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 > access-list 150 permit ip 192.168.1.0 0.0.0.255 any > route-map nonat permit 10 > match ip address 150 > ! > ntp clock-period 17179942 > ntp server 192.5.41.40 > end > > Any insight/help you can provide would be greatly appreciated. > > Thanks, > Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42252&t=42245 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
