02-05-2007 04:34 AM - edited 03-03-2019 03:37 PM
Hi,
My ADSL Router creates VPN connections to my remote sites. This VPN works fine. but I need give the one network(behind the ADSL) access to servers on another network.
Basically, the VPN connections is created to my VPN Router. The router then allows 172.18.44.x to talk to anything on advertised on my network. I need to get the above network connected to a network on 172.20.32.x range.
How would I do that? Is this an access list issue or do I look at the VPN Router?
02-05-2007 04:47 AM
Hi
It's little unclear what you are trying to achieve. If you merely want to add another network to an existing VPN setup then you just need to modify the crypto map access-lists at both ends of the VPN.
If i have misunderstood please explain further
HTH
Jon
02-05-2007 04:57 AM
its a bit difficult to explain. I have a VPN setup for my network and the entry points are at 2 different sites. Connections into the VPN is fine. Users are able to browse network resources as if they were on my network.
I now need to connect a user from one network made via VPN into mine to another network made via VPN to mine.
What configs can I give you?
02-05-2007 05:10 AM
Brad
Yes you can do this. What you are trying to do is have spoke to spoke communication via the hub site where the hub site is you and the spoke sites are the two remote sites.
Here is a link to do just that:-
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
HTH
Jon
02-06-2007 10:38 AM
How and where would I configure split tunneling. Could that perhaps fix this problem?
I think what's happening here is that the VPN connection is using the default gateway of the remote network?
Am I right in saying that?
02-06-2007 11:16 AM
Brad
I might have misunderstood your requirements. This is what i thought you needed
Site A is your main site.
Site B is a remote site that connects to Site A via a VPN tunnel.
Site C is another remote site that connects to Site A via VPN.
You now need a user at Site B to be able to talk to Site C via Site A. Is this correct ?
Split tunneling is about sending some traffic down the VPN tunnel but other traffic not and is more to do with client VPN's than site to site VPN's.
So when the user at Site B wants to talk to a machine at Site C do you want it to go via your site A through the VPN tunnels. If you do the document i pointed you to should allow you to set this up.
If you need something else please let me know.
Jon
02-06-2007 12:23 PM
In a manner of speaking you are correct.
Site A - My network
Site B - Remote site connecting to Site A via ADSL using VPN Tunnel
Site C - Client network connecting to Site A via diginet line.
The goal here is to get Site B connected to a host on Site C via Site A.
The common thing here is Site A. We have access setup on Site to connect to all sites including site C.
Therefore when the ADSL router makes the VPN tunnel / connection to site A its as if site B is now on Site A's network. Therefore Site B should technically be able to connect to host on Site C .....but it aint working like that .....
Site B users have to create a 2nd VPN connection from their windows workstations and then only are they able to connect to hosts on Site C.
You all still with me? What the problem is?
02-06-2007 01:08 PM
Ok Brad i understand the requirement.
Can you clarify whether the clients at Site B are using client VPN's on their laptops or whether the VPN is a site-to-site VPN from the remote router to Site A.
Also if you could post the config of Site A vpn device that would help.
Jon
02-07-2007 03:19 AM
The router(B) creates a site(B)-to-site(A) VPN connection. What I have tried is make a seperate VPN connection from the User PC(Windows Based)and this still did not work. The connection still times out.
When I do a trace to the host(Site C) I am trying to connect to it goes via the Internet and not via the VPN connection to site A.
Is this access list?
Site A is using a Cisco 2650 through which all my VPN connections come in.
you still want the config for Site A?
02-07-2007 03:52 AM
Brad
if a trace goes via the internet then yes you will need to modify the acccess-lists on your devices.
On site B router you will have to add Site C subnets to the crypto map access-list.
On site C router you will need to add Site B subnets to the crypto map access-list.
On Site A you will need to update both crypto access-lists for both Site B & Site C.
HTH
Jon
02-07-2007 04:49 AM
are you referring to the SDM_RMAP statements?
02-07-2007 05:05 AM
Brad
Sorry, never used SDM. What i'm referring to is that in your config on the routers will be some crypto map entries. Under the crypto map statement there will be a "match address x" statement x being an access-list on your router.
This is the access-list you need to change.
Jon
02-07-2007 05:09 AM
Thanks .... i know now where to begin.
02-07-2007 05:16 AM
At site A have a 3640 which the VPN connection is made into and I also have a PIX firewall which controls access into my network. From both devices I can ping the Host on Site C. So it means the both devices can get to it.
If do a trace to that host it goes via the the WAN router(Site A) that Site C is connected to. So the routes exist and it doesn't look like I need to send it through my PIX first .....right?
02-07-2007 05:27 AM
Brad
Is the 3640 router the one that Site C is connected to or is that a different router ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: