I have two 1720 routers that I need to create a VPN connection between. Each router has a built-in T1 Wan interface. I have both configured with NAT and I have the IP PLUS IPSEC 56 feature pack installed on both. I have setup VPN on both routers with the Cisco Configmaker. I can ping the internet from both routers and local ip addresses directly connected. But, I can not ping the peer router or any of the local ip addresses on the other side of the remote router. I am not sure I have the access-list configured correctly. The access-list setup by Configmaker uses the public ip's while a book I have shows local ip address in the VPN access list.
The ip address of the first router are:
209.84.165.6 for Serial0
10.0.0.1 for FastEthernet0
The ip addresses for the second router are:
208.46.254.230 for Serial0
10.0.2.4 for FastEthernet0
A partial configuration returned from Configmaker is :
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key testkey address 209.84.165.6
!
!
crypto ipsec transform-ser cm-transformset-1 ah-md5-hmac _ esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Serial0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 209.84.165.6
set transform-set cm-transformset-1
match address 100
!
cns event-service server
!
interface Serial0
ip address 208.46.254.230 255.255.255.252
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
service-module t1 remote-alarm-enable
crypto map cm-cryptomap
!
.
.
.
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 100 permit ip 208.46.254.228 0.0.0.3 _ 209.84.165.4 0.0.0.3
access-list 100 permit ip 208.46.254.228 0.0.0.3 host _ 209.84.165.162
! 209.84.165.162 points to a server inside the NAT router
! on the other end with a local ip of 10.0.0.7
The book I have would suggest an access-list entry similiar to this (on this router):
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 _0.0.0.255
and on the other router:
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.2.0 _ 0.0.0.255
Please respond with any ideas or helpful hints.
Thanks in advance.
Chris
The ip address of the first router are:
209.84.165.6 for Serial0
10.0.0.1 for FastEthernet0
The ip addresses for the second router are:
208.46.254.230 for Serial0
10.0.2.4 for FastEthernet0
A partial configuration returned from Configmaker is :
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key testkey address 209.84.165.6
!
!
crypto ipsec transform-ser cm-transformset-1 ah-md5-hmac _ esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Serial0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 209.84.165.6
set transform-set cm-transformset-1
match address 100
!
cns event-service server
!
interface Serial0
ip address 208.46.254.230 255.255.255.252
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
service-module t1 remote-alarm-enable
crypto map cm-cryptomap
!
.
.
.
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 100 permit ip 208.46.254.228 0.0.0.3 _ 209.84.165.4 0.0.0.3
access-list 100 permit ip 208.46.254.228 0.0.0.3 host _ 209.84.165.162
! 209.84.165.162 points to a server inside the NAT router
! on the other end with a local ip of 10.0.0.7
The book I have would suggest an access-list entry similiar to this (on this router):
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 _0.0.0.255
and on the other router:
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.2.0 _ 0.0.0.255
Please respond with any ideas or helpful hints.
Thanks in advance.
Chris
