[c-nsp] Site to site VPN

Brian Feeny signal at shreve.net
Wed Feb 9 13:12:50 EST 2005 


Also tell us what equipment is this at each end, IOS or PIX vpn?
If you can include portions of your config that would help too.  There  
are different commands
to check things whether its IOS or PIX and that would help us drill  
down what you need to
do to diagnose the problem.

Brian

On Feb 9, 2005, at 7:22 AM, Justin M. Streiner wrote:

> On Wed, 9 Feb 2005, simon.pitwood wrote:
>
>> Hope someone out there can help, I have two sites connected with site  
>> to
>> site VPN and my understanding is that they should be able to see each  
>> others
>> LAN's and PC's?  I have set this up but this is not the case, if I  
>> take
>> control of a machine in one office I cannot ping or see the other  
>> office's
>> LAN etc.
>
> Setting up a site-to-site VPN  between to points, by itself, is not
> necessarily enough to be able to see everything on a remote network.
> Do the IKE (phase 1) and IPSEC (phase 2) negotiations complete
> successfully?  In other words, do you see that the tunnel itself is up?
>
> 1) The VPN tunnel endpoints need to know how to route traffic and  
> accept
>  	traffic from the remote networks.  How this is accomplished varies
>  	from device to device, but it's often done with an access list (IOS
>  	routers, PIXes, etc).
> 2) Very often, companies use RFC 1918 address space for their internal
>  	networks.  This is a Good Thing, but can create some additional
>  	headaches in setting up a VPN.  If the private address space used
>  	by the two networks overlaps at all - i.e. both use
>  	192.168.1.0/24, or one uses 192.168.0.0/20 and the other uses
>  	192.168.6.0/24, etc - then the traffic that gets sent through the
>  	VPN tunnel needs to be NAT'd in both directions.  Cisco has
>  	documentation on this on their website.  I might be able to dig
>  	some up, if needed, though it will take time.
> 3) Do the VPN endpoints have access lists written to permit traffic
>  	between the tunnel and the rest of the network?  Are they
>  	configured to route return traffic back through the VPN?
> 4) Are there additional routers or firewalls between the VPN endpoints  
> on
>  	either side, and the rest of that site's internal network?  If so,
>  	those may need to be checked for access lists/routes/etc too.
>  	Some companies I've seen will land their VPN tunnels in a DMZ
>  	network, then that traffic has to be carried through an internal
>  	router or firewall to get to the inside.
>
> hope this helps
> jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

More information about the cisco-nsp mailing list