route traffic to VPN

Answered Question
Aug 2nd, 2007

Hi,

We would like to access the PC from R3 (192.168.16 and 192.168.17) to R1 (192.100.0 and 192.168.101) segment. There is one VPN between R1 and R2. we would like to make use of the VPN session to do it. However, we cannot ping 192.168.100.0 segment. anything missing? pls advise

Best regards

Follow is the config for your refer

R3

---

! 192.168.16.1

!

inter fastether 0

ip address 192.168.16.1 255.255.255.0

inter fastether 0

ip address 192.168.17.1 255.255.255.0

inter serial 0

ip address 172.16.254.17 255.255.255.252

ip route 192.168.100.0 0.0.1.255 172.16.254.18

R2

------

! 192.168.31.0

!

inter fastether 2

ip address 192.168.31.1 255.255.255.0

!

inter serial 0

ip address 172.16.254.18 255.255.255.252

!

crypto isakmp key owt address 203.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN from 192.168.31.0 segment to tw 192.168.100.0/23 segment

set peer 203.x.x.x

set transform-set myset

match address 104

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.1.0 0.0.0.255

ip route 192.168.16.0 0.0.1.255 172.16.254.17

----

R1

! 192.168.100.1

crypto isakmp key owt address 200.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN to to hk

set peer 200.x.x.x.

set transform-set myset

match address 104

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

interface GigabitEthernet0/1

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.101.1 255.255.255.0

I have this problem too.
0 votes
Correct Answer by jdevoll about 9 years 4 months ago

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jdevoll Thu, 08/02/2007 - 18:28

It looks like access-list 104 isn't including the right traffic but there isn't enough information given to be sure.

What is the IP address of the PC?

Am I correct in saying that you want to access the PC from both 192.168.16.1 and 192.168.17.1?

leungcm Thu, 08/02/2007 - 18:39

Hi,

Yes, from 192.168.16.5 (or 192.168.17.5) to PC 192.168.100.200 and 192.168.101.200.

Thanks

Best regards

sundar.palaniappan Thu, 08/02/2007 - 19:22

The traffic from R1 to R3 and vice versa is missing from the crypto access list. Add this config and try.

R2:

access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.17.0 0.0.0.255 192.168.101.0.0 0.0.0.255

R1:

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.17.0 0.0.0.255

HTH

Sundar

Correct Answer
jdevoll Thu, 08/02/2007 - 19:49

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

Pavel Bykov Thu, 08/02/2007 - 23:32

When setting up ACL for crypto maps, you have to specify traffic in BOTH directions. Use advise from above posts, and it should work.

Actions

This Discussion