Connecting from a remote computer to a remote office using VPN X 2

Unanswered Question
Apr 15th, 2010

Hi All

I have the following problem:

we have two offices that are connected with VPN. Office 2 has a server users on office 1 use. Office 1 has remote users that connect using a VPN client.

Users in Office 1 working under NAT communicate with the server in office 2 without a problem.

The issue is that remote users of office 1 can not connect directly to the server on office 2. IE if a remote user wants to communicate with server

He can't.

I add a drwaing where router 1 is found in office 1 and router 2 is found in office 2 as well as the router (1721) configuration.

Any help would be appreciated.


version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname Router
clock timezone est -5
clock summer-time zone recurring
aaa new-model
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
no ip domain lookup
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1******R address no-xauth
crypto isakmp client configuration group ******
key *****
domain *****.com
pool ippool
acl 108
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer
set transform-set myset
match address 110
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback1
ip address
interface Ethernet0
ip address
ip access-group filterinE0 in
ip access-group filteroutE0 out
ip nat outside
no cdp enable
crypto map clientmap
interface FastEthernet0
description connected to EthernetLAN
ip address
ip nat inside
ip policy route-map nonat
speed auto
interface Serial0
no ip address
router rip
version 2
no auto-summary
ip local pool ippool
ip nat pool Router-natpool-1 netmask
ip nat inside source list 150 pool Router-natpool-1 overload
ip nat inside source static
ip classless
ip route
no ip http server
no ip http secure-server
ip access-list extended filterinE0
permit udp any eq isakmp any eq isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 1701
permit ip any
permit ip any
  evaluate infilterE0
deny   ip any any

ip access-list extended filteroutE0
permit ip host any reflect infilterE0
permit ip host any reflect infilterE0
permit ip any reflect infilterE0
permit ip any
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp any any eq www
access-list 101 deny   ip any any
access-list 103 permit ip
access-list 108 permit ip
access-list 110 permit ip
access-list 150 deny   ip
access-list 150 permit ip any
route-map nonat permit 11
match ip address 103
set ip next-hop
snmp-server community public RO
snmp-server enable traps tty
radius-server host auth-port 1645 acct-port 1646 key 7 *****
radius-server authorization permit missing Service-Type
line con 0
exec-timeout 0 0
password 7 ****
line aux 0
line vty 0 4
password 7 ****
no scheduler allocate
ntp clock-period 17180216
ntp server
ntp server

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 04/15/2010 - 13:26


Let's see if I understand....

If you have a L2L tunnel between both offices, then you are not going to be able to connect from the remote office using the VPN client (if using the same public IP as the L2L connection).

This is because the main office will already have a VPN tunnel established with the public IP of the remote site, and will not permit another VPN connection coming from the same IP. (If the VPN clients connect using another IP, then it will work).

Is this your situation?


amir_prat Thu, 04/15/2010 - 13:32

Hi Federico

I am sorry I was not clear. The remote client is on the road or in a totaly different location and public IP. IE there is a remote user, Office 1 and Office 2.

The remote user uses vpn client to connect to office 1.



Federico Coto F... Thu, 04/15/2010 - 13:38

Ok, I understand now...

So, the VPN client connects to Office 1 and from there, there's another tunnel (L2L) to Office 2.

The VPN clients should access the server on Office 2 correct?

If so, what you need is to include the VPN pool in the L2L interesting traffic, and include the Office 2 LAN on the VPN client traffic.

In other words,

The crypto ACL for the L2L is:

access-list 110 permit ip

This ACL is encrypting traffic between Office 2 LAN and Office 1 LAN.

You must include in that ACL a line like this:

access-list 110 permit ip x.x.x.x mask  --> x.x.x.x is the pool of VPN clients on Office 1

On the configuration of Router 1, you must also add the in the interesting traffic for the VPN clients.


amir_prat Fri, 04/16/2010 - 05:47

Thanks again.

I added the following:

access-list 108 permit ip

access-list 108 permit ip

access-list 110 permit ip

access-list 110 permit ip

where I assume ACL 108 used for remote users would let clients access Office 2

and ACL 110 would let the remote users access teh office 1 <--> office 2 VPN

How ever it stilll not working...

Thansk for helping.



This Discussion

Related Content