04-23-2008 11:06 PM - edited 02-21-2020 01:59 AM
Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up
R1 Vlan1 is 10.10.10.0/24 network
R2 Vlan1 is 10.10.20.0/24 network
over IPSEC VPN Tunnel
I need to add a Vlan2 10.7.1.0/24 network on R1
and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.
I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?
Please help!
Thank you
Domenick
04-25-2008 02:55 AM
Domenick,
Can you supply the configs please? with sensitive information removed of course!
04-25-2008 06:33 AM
04-25-2008 06:47 AM
Do you only want the new VLAN's to talk to each other over the VPN or do you want VLAN 1 on both sites to be able to route also?
04-25-2008 08:53 AM
yes I need both vlan1 and vlan2 to route over the vpn.
04-26-2008 01:27 AM
I would add:-
R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Current:-
!
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
ADD to the above ACL the below:-
permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
!
Current:-
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ADD to the above ACL the below:-
access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255
R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Current:-
!
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
remark IPSec Rule
permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255
!
ADD to the above ACL the below:-
permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255
permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255
Current:-
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
ADD to the above ACL the below:-
access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
04-28-2008 12:28 PM
I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.
04-28-2008 02:13 PM
are the ACL's being hit? Provide output of "show access-list"
Can you see the IPSEC SA with the new ACL's in them? Provide output of "sh crypto ipsec sa"
04-28-2008 03:49 PM
04-29-2008 12:33 AM
The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.
The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.
Add "ip nat inside" to the vlan 2 interfaces on both sites.
04-29-2008 06:22 AM
i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?
i have attached the output of the show access-list command and the show crypto again
04-29-2008 06:52 AM
The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.
What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.
You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: