cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
5
Helpful
5
Replies

route traffic to VPN

leungcm
Level 1
Level 1

Hi,

We would like to access the PC from R3 (192.168.16 and 192.168.17) to R1 (192.100.0 and 192.168.101) segment. There is one VPN between R1 and R2. we would like to make use of the VPN session to do it. However, we cannot ping 192.168.100.0 segment. anything missing? pls advise

Best regards

Follow is the config for your refer

R3

---

! 192.168.16.1

!

inter fastether 0

ip address 192.168.16.1 255.255.255.0

inter fastether 0

ip address 192.168.17.1 255.255.255.0

inter serial 0

ip address 172.16.254.17 255.255.255.252

ip route 192.168.100.0 0.0.1.255 172.16.254.18

R2

------

! 192.168.31.0

!

inter fastether 2

ip address 192.168.31.1 255.255.255.0

!

inter serial 0

ip address 172.16.254.18 255.255.255.252

!

crypto isakmp key owt address 203.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN from 192.168.31.0 segment to tw 192.168.100.0/23 segment

set peer 203.x.x.x

set transform-set myset

match address 104

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.1.0 0.0.0.255

ip route 192.168.16.0 0.0.1.255 172.16.254.17

----

R1

! 192.168.100.1

crypto isakmp key owt address 200.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN to to hk

set peer 200.x.x.x.

set transform-set myset

match address 104

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

interface GigabitEthernet0/1

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.101.1 255.255.255.0

1 Accepted Solution

Accepted Solutions

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

View solution in original post

5 Replies 5

jdevoll
Level 1
Level 1

It looks like access-list 104 isn't including the right traffic but there isn't enough information given to be sure.

What is the IP address of the PC?

Am I correct in saying that you want to access the PC from both 192.168.16.1 and 192.168.17.1?

Hi,

Yes, from 192.168.16.5 (or 192.168.17.5) to PC 192.168.100.200 and 192.168.101.200.

Thanks

Best regards

The traffic from R1 to R3 and vice versa is missing from the crypto access list. Add this config and try.

R2:

access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.17.0 0.0.0.255 192.168.101.0.0 0.0.0.255

R1:

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.17.0 0.0.0.255

HTH

Sundar

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

Pavel Bykov
Level 5
Level 5

When setting up ACL for crypto maps, you have to specify traffic in BOTH directions. Use advise from above posts, and it should work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco