07-08-2009 10:34 AM - edited 03-04-2019 05:22 AM
We have a client who would like their remote sites to send all http and other traffic through hq router.They also have applications such as inventory and sales using the same link to hq.
On the access-lists I have deny all traffic from been NATd on the remote site routers but to push into the tunnel. This is not helping and still dropping traffic on the hq router when I trace to the internet.
What would you suggest I playing with ?
site1-----hq------site2
Thanks in advance,
07-08-2009 11:11 AM
If you want ALL traffic to go from remote site to HQ, then your ipsec acl needs to allow all local traffic to any destination through the tunnel like:
crypto map VPN 5
match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
That would force anything from the local 192.168.1.0 subnet through the tunnel.
What devices are controlling the two end oints of the tunnel? Routers or ASA? Can you post configs and a topology?
HTH,
John
07-08-2009 12:21 PM
Hello,
Thanks for your response. The end points of the tunnel are routers, in particular 1841 at central site and 851W for remote sites. I have tried as suggested but traffic drops at the gateway for hq router. What is the source address at the time the packet hits? hq or remote site public IP?
07-08-2009 12:36 PM
If you want to allow absolutely all traffic through the tunnel, you can remove your nat configs on the remote router. Is there a firewall or anything that could be dropping the traffic on the HQ side?
You can also get rid of your route statements. When the ipsec tunnel is created, the "route" is what's allowed through the tunnel. So, here's what I would do in order:
1. Make a backup of your remote site router.
2. Remove nat configs from fa4, vlan1, and bvi1
3. remote ip nat inside x.x.x.x.x statement
4. remove route-map
Your tunnels will still come up when it sees that you need to go to the 192.168.1.0 subnet through your crypto map peer statement.
Also, I noticed that your acl on HQ is listed under one crypto map. Crypto acls should mirror each other, but you have:
HQ: 192.168.1.0 192.168.2.0
192.168.1.0 192.168.3.0
Since you're only using one crypto map, it's going to try to match these networks on BOTH of your remote routers. So, I would create another crypto map for just your two separate networks:
crypto map to-site1 10
set peer 41.222.x.3
match address site1
access-list site1 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map to-site1 20
set peer 41.222.x.4
match address site2
access-list site2 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
The above would match the remote's crypto acl of "192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255" (but in reverse).
You'll still just have the one crypto map, but with different sequence numbers. If you decide to go with these changes, make sure you do them after hours because your tunnels will come down until the change is made.
One last thing, if you remove the nat config on the remote router and they decide it's too much traffic on HQ and want to revert back, you'll need to redo your nat configs again.
Remember *Make backups* :)
HTH,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: