Skip to main content

Site to Site vpn using sr520 and sr520w

More
9 years 5 months ago #38660 by MDInfo
Hi everyone and thanks again for the help.
So I have a little lab that I have done for practice purpose.
I would like to say that this website have been a great source of information as the info is clear and detailled, that's why I'm posting on this website.


There is the config:

R520: 100.100.100.3 on fast 4
vlan 75: 192.168.75.0 255.255.255.0

R520W: 100.100.100.4 on fast 4
vlan 75:192.168.55.0 255.255.255.0


Between them are a smal router: 100.100.100.1 (My internet simulated, if I could say so.)

Using CCP I have followed the wizzard to do the site to site between the 2 sr520: tunel have been tested andTunnel is up.
The trick I am struggling with is the data between 192.168.55.x and 192.168.75.x do not pass.
I managed to get a icmp and other to pass using the ACL.



The thing I don't understand is why Data is not allow by default from the start to be able to pass from one network to the other.

What I am guessing is that I do something wrong from the start. If I try to do ping or other things I got this message from the console:

drop action found in policy-map with ip ident 0

same goes from 100.100.100.3 to 192.168.55.x and 100.100.100.4 192.168.75.x



I have found that this is my firewall that block the data from going around, but I have done everything and allow traffic between the 2 network.

It is slowly going on work as I allow icmp and other protocol to pass trough.



Is there any best practice to follow so I won't get into this trouble? Is there a way to clearly indicate from the begining what I want to do with the site to site so ALL Data will flow without any issue?



If you need I would post the config.

Thanks!
More
9 years 5 months ago - 9 years 5 months ago #38663 by kev972
Normally the traffic that has to be encrypted is identified by the crypto acl on router / split tunnel acl on ASA.
So, even if it is an ASA, ping are not blocked by default for VPN traffic unless you have an ACL for that.
Can you post the run-conf of both routers ?
When you try to do a ping for example from device 1 in router A
to
device 2 in router B through the site to site VPN, what are you pinging ?
The remote inside gateway or a device inside the remote LAN?
Last edit: 9 years 5 months ago by kev972.
Time to create page: 0.111 seconds