|
|
Question : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem
|
|
Hi,
I have set up a VPN between a Cisco 2611 and a Netscreen 5XP. The VPN shows as up but I cannot ping any hosts. Here is the config from the 2611. Any sugesstions are greatly appreciated. The internal network on the Cisco side is 10.0.0.0 and the Netscreen side is 192.168.1.0
Thanks,
Building configuration...
Current configuration : 4399 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname 88888 ! no logging console enable secret 5 ******** ! ip subnet-zero no ip source-route ! ! ip domain-name ********************** ip name-server 168.215.x.x ip name-server 216.136.x.x ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key **** address 66.25.x.x ! ! crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac crypto ipsec transform-set rtpset5 esp-des ! ! ! crypto map rtp 1 ipsec-isakmp set peer 66.25.x.x set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5 match address 101 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Ethernet0/0 description Royal LAN connected to the 2900XL ip address 10.0.0.254 255.255.255.0 secondary ip address 66.192.x.x 255.255.255.240 ip nat inside no ip route-cache no ip mroute-cache half-duplex ! interface Serial0/0 description Time Warner T1 at 1.544 Mbs ip address 66.162.x.x 255.255.255.252 ip nat outside encapsulation ppp no ip route-cache no ip mroute-cache no fair-queue service-module t1 timeslots 1-24 crypto map rtp ! interface Ethernet0/1 no ip address shutdown half-duplex ! ip nat inside source list 10 interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 66.162.x.x Router at ISP no ip http server ! access-list 10 permit 10.0.0.10 access-list 10 permit 10.0.0.11 access-list 10 permit 10.0.0.8 access-list 10 permit 10.0.0.9 access-list 10 permit 10.0.0.14 access-list 10 permit 10.0.0.15 access-list 10 permit 10.0.0.12 access-list 10 permit 10.0.0.13 access-list 10 permit 10.0.0.2 access-list 10 permit 10.0.0.3 access-list 10 permit 10.0.0.1 access-list 10 permit 10.0.0.6 access-list 10 permit 10.0.0.7 access-list 10 permit 10.0.0.4 access-list 10 permit 10.0.0.5 access-list 10 permit 10.0.0.26 access-list 10 permit 10.0.0.27 access-list 10 permit 10.0.0.24 access-list 10 permit 10.0.0.25 access-list 10 permit 10.0.0.30 access-list 10 permit 10.0.0.31 access-list 10 permit 10.0.0.28 access-list 10 permit 10.0.0.29 access-list 10 permit 10.0.0.18 access-list 10 permit 10.0.0.19 access-list 10 permit 10.0.0.16 access-list 10 permit 10.0.0.17 access-list 10 permit 10.0.0.22 access-list 10 permit 10.0.0.23 access-list 10 permit 10.0.0.20 access-list 10 permit 10.0.0.21 access-list 10 permit 10.0.0.40 access-list 10 permit 10.0.0.34 access-list 10 permit 10.0.0.35 access-list 10 permit 10.0.0.32 access-list 10 permit 10.0.0.33 access-list 10 permit 10.0.0.38 access-list 10 permit 10.0.0.39 access-list 10 permit 10.0.0.36 access-list 10 permit 10.0.0.37 access-list 10 permit 10.0.0.253
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password ******************************************** login ! end
|
Answer : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem
|
|
acl 111 can be this way:
access-list 111 deny ip host 10.0.0.1 any access-list 111 deny ip host 10.0.0.2 any access-list 111 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip 10.0.0.0 0.0.0.255 any
And yes, keep acl 123 as is...
|
|
|