|
|
|
Question : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem
|
|
Hi,
I have set up a VPN between a Cisco 2611 and a Netscreen 5XP. The VPN
shows as up but I cannot ping any hosts. Here is the config from the
2611. Any sugesstions are greatly appreciated. The internal network
on the Cisco side is 10.0.0.0 and the Netscreen side is 192.168.1.0
Thanks,
Building configuration...
Current configuration : 4399 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 88888
!
no logging console
enable secret 5 ********
!
ip subnet-zero
no ip source-route
!
!
ip domain-name **********************
ip name-server 168.215.x.x
ip name-server 216.136.x.x
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 500
crypto isakmp key **** address 66.25.x.x
!
!
crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
!
!
!
crypto map rtp 1 ipsec-isakmp
set peer 66.25.x.x
set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
description Royal LAN connected to the 2900XL
ip address 10.0.0.254 255.255.255.0 secondary
ip address 66.192.x.x 255.255.255.240
ip nat inside
no ip route-cache
no ip mroute-cache
half-duplex
!
interface Serial0/0
description Time Warner T1 at 1.544 Mbs
ip address 66.162.x.x 255.255.255.252
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
crypto map rtp
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
ip nat inside source list 10 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.162.x.x Router at ISP
no ip http server
!
access-list 10 permit 10.0.0.10
access-list 10 permit 10.0.0.11
access-list 10 permit 10.0.0.8
access-list 10 permit 10.0.0.9
access-list 10 permit 10.0.0.14
access-list 10 permit 10.0.0.15
access-list 10 permit 10.0.0.12
access-list 10 permit 10.0.0.13
access-list 10 permit 10.0.0.2
access-list 10 permit 10.0.0.3
access-list 10 permit 10.0.0.1
access-list 10 permit 10.0.0.6
access-list 10 permit 10.0.0.7
access-list 10 permit 10.0.0.4
access-list 10 permit 10.0.0.5
access-list 10 permit 10.0.0.26
access-list 10 permit 10.0.0.27
access-list 10 permit 10.0.0.24
access-list 10 permit 10.0.0.25
access-list 10 permit 10.0.0.30
access-list 10 permit 10.0.0.31
access-list 10 permit 10.0.0.28
access-list 10 permit 10.0.0.29
access-list 10 permit 10.0.0.18
access-list 10 permit 10.0.0.19
access-list 10 permit 10.0.0.16
access-list 10 permit 10.0.0.17
access-list 10 permit 10.0.0.22
access-list 10 permit 10.0.0.23
access-list 10 permit 10.0.0.20
access-list 10 permit 10.0.0.21
access-list 10 permit 10.0.0.40
access-list 10 permit 10.0.0.34
access-list 10 permit 10.0.0.35
access-list 10 permit 10.0.0.32
access-list 10 permit 10.0.0.33
access-list 10 permit 10.0.0.38
access-list 10 permit 10.0.0.39
access-list 10 permit 10.0.0.36
access-list 10 permit 10.0.0.37
access-list 10 permit 10.0.0.253
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password ********************************************
login
!
end
|
Answer : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem
|
|
acl 111 can be this way:
access-list 111 deny ip host 10.0.0.1 any
access-list 111 deny ip host 10.0.0.2 any
access-list 111 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.0.0.0 0.0.0.255 any
And yes, keep acl 123 as is...
|
|
|
|
