cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1422
Views
0
Helpful
3
Replies

Routing between two remote sites connected via site to site VPN

rbdrake22
Level 1
Level 1

I'm having a problem pinging between remote sites.  Right now the crypto and no nat ACL's for the different sites just affect traffic between the remote site and the main site. I tryed adding routes, adding the other subnets to the crypto and No Nat ACL's at the remote sites... nothing has worked.  Any ideas?

Main Site:

192.168.100.0 - Call Manager / Phone VLAN

192.168.1.0/24 - Data VLAN

Site 1:

192.168.70.0/24 - Phone VLAN

192.168.4.0/24 - Data VLAN

Site 2:

192.168.80.0/24 - Phone VLAN

192.168.3.0/24 - Data VLAN

Main Router

Extended IP access list ACL5
    10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    30 permit ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
    40 permit ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255                                                                       )
    50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Extended IP access list ACL6
    10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    30 permit ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
    40 permit ip 192.168.100.0 0.0.0.255 192.168.80.0 0.0.0.255

  Extended IP access list NO-NAT
    10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
    30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
    40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
    320 permit ip 192.168.1.0 0.0.0.255 any
    330 permit ip 192.168.100.0 0.0.0.255 any

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

ip access-list extended NO-NAT

deny   ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

deny   ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

Site 2:

ip access-list extended ACL6
permit ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
ip access-list extended NO-NAT
deny   ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

What do I need to do so these two sites can ping each other?  I've looked through the forums but cant seem to find anybody with a similar problem that received a definitive answer.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Ivan Martinon
Level 7
Level 7

Hi there, I am assuming you need site 1 and site 2 to reach each other via the Main site right? if this is the case then you need to define add the following lines to your crypto ACLs:

Main Router

Extended IP access list ACL5

    permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Extended IP access list ACL6

    permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permits

  Extended IP access list NO-NAT

    deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure those lines are added before the last permits

ip access-list extended NO-NAT

deny   ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny   ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ip access-list extended ACL6

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

As well make sure these lines are added before the last permits

ip access-list extended NO-NAT

deny   ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny   ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So pretty much you are telling your routers with these definitions that the remote sites (sites 1 and 2) are gonna be reached via the main one.

Let me know if this is what you need.

View solution in original post

3 Replies 3

Ivan Martinon
Level 7
Level 7

Hi there, I am assuming you need site 1 and site 2 to reach each other via the Main site right? if this is the case then you need to define add the following lines to your crypto ACLs:

Main Router

Extended IP access list ACL5

    permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Extended IP access list ACL6

    permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permits

  Extended IP access list NO-NAT

    deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

    deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

    deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

    deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure those lines are added before the last permits

ip access-list extended NO-NAT

deny   ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny   ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ip access-list extended ACL6

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

As well make sure these lines are added before the last permits

ip access-list extended NO-NAT

deny   ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny   ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So pretty much you are telling your routers with these definitions that the remote sites (sites 1 and 2) are gonna be reached via the main one.

Let me know if this is what you need.

That worked perfectly.  I appreciate your help!

Excellent, make sure you mark the question answered and do rate useful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: