trouble configuring pair of SA520 over point-to-point WAN to link two...

[Guest]

Can anybody advise me please?  we;re trying to setup a permanent point-to-point link for VOIP traffic between two offices. We are unable to communicate from LAN on SA520 #1 to LAN on SA520(#2),yet we can ping to the distant WAN ports from PCs on either LAN end OK. Not sure if we have a gateway, routing or setting issue - or if we are meant to setup some dedicated VPN link. We
e using a pair of PCs and PING to test the connection on the bench with cross over cables on the WAN port to simplify. Office ONE has a SA520 we want to link to Office TWO using another SA520, via a point-to-point dedicated BDSL WAN service.The cross over cable linking the two WAN ports, is trying to simulate that target BDSL WAN service during testing. The ISP provider for the BDSL advises that the IP mask for the target usage of the BDSL line needs to be 255.255.255.252.So weve set that as the mask on the WAN port of each router. We
e testing the setup using a cross-over cable wbetween the two WAN ports of the TWO SA520, with a test PC on each respective LAN. Fresh out of the box, weve then made the following changes using the web-based interface: 1.  Weve unticked the block ICMP and unticked the blocking of PINGs for WAN under:  Firewall-> Attacks. 2.  We
e trying to set Office #1 on subnet:  192.168.110.x    (with 110.1 as the SA520 (#1)  LAN IP) mask:  255.255.255.0     and Office #2  on subnet                       192.168.112.x    (with 112.1 as the SA520 (#2)  LAN IP) mask:  255.255.255.0 3.  We are using a cross over cable to test the WAN between the two Cisco routers, with     Office #1 WAN           192.168.102.1    mask:  255.255.255.252 gateway: 192.168.102.2 (pointing towards Office #2 WAN)     Office #2 WAN           192.168.102.2    mask:  255.255.255.252 gateway: 192.168.102.1 (pointing back to Office #1 WAN) 4.  We have turned NAT OFF. 5.  We don beleive we need any static routes, because the two OFFICE SUBNETS should be reachable using the above GATEWAYS. 6.  We have turned on DHCP on both ends, with Office #1 providing dhcp to       192.168.110.11 thru .254                                                               and  Office #2 providing dhcp to       192.168.112.11 thru .254 7.  When we connect test PC1   to Office #1 LAN port,  we successfully get IP: 192.168.110.118.  and a second test PC2          at Office #2 LAN port,                         get IP: 192.168.112.11 9.  We can sit on PC1 and successfully ping (from 192.168.110.11)  to             192.168.102.1  and    192.168.102.2      ****   BUT we cannot ping to the distant Cisco 192.168.112.1  or the PC2 connected there on       192.168.112.1110. We can do the exact opposite sitting on PC2 (from 192.168.112.11)         to   192.168.102.2  and 192.168.102.1      ****   BUT we cannot ping to the distant Cisco        192.168.110.1 or the PC1 connected there on 192.168.110.11 What setting have we overlooked?Do we have to apply any firewall rules?  ( we assume NO rules means 100% permitted access)Do we have to enable rules to permit ICMP packets to each LAN?Is the MASK wrong on the WAN?Do we need to set the DNS?  (we
e only using IPs).... There is no web traffic involved.Are we meant to create some sort of VPN - or can we simply rely on gateways to route the packets?  Gary

[Guest]

Hi Gary, You were almost there. The first thing needed is to make sure Classical Routing is enabled and not NAT.  Next you have to create firewall rules to allow all traffic to and from each network be allowed to go through.  Please see attached screen shots for sample changes.  There is no need to use VPN in your configuration. Hope this helps you on your way,Julio

[Guest]

Thanks Julio. Great help, thankyou.   Yes, I had to put it into Classical router, and forget all  about VPN, and then add two rules in the firewall to permit traffic to flow from LAN to WAN, and from  WAN to LAN.   Both SA520s now running back-to-back with ping tests OK! Good to have help from the Forum like this,  much appreciated. DELCARED:  **FIXED** Cheers

[Guest]

Hi Gary, Don forget to mark Julios post as the one that answered your question. Thanks,Cindy ToyCisco Community ManagerSmall Business Support