VPN site to site have problem with permit ip ?

Answered Question
May 2nd, 2010

Dear All,

I have some question to ask you that i have some problem with VPN site to site. let me tell you ...

At HQ i have ASA 5510 (for Internet connection) and Router 2811 link to Branch connection by VPN connection. for Branch we used Router 1841.

So on configuration on cisco 2811 and 1841 when i permit ip any any so the branch can access internet.( i mean that HQ share internet to Branch)

but i when i permit ip and host, the branch cann access to HQ but they cannot access internet.

Could you let me know how can the branch acces internet?

Best Regards,
Rechard

I have this problem too.
0 votes
Correct Answer by rajatsetia about 6 years 6 months ago

No need of any route.

am still waiting for your reply on ACL and it is an important input to the puzzle. If you can answer that we may not need to go thourgh all the troubleshooting.

I will be able to give you any response by tomorrow as few hours from now I will be travelling for whole day.

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Sun, 05/02/2010 - 18:40

Hi,

You want the branch office to have Internet through the site-to-site tunnel or without going through the tunnel?

To allow Internet through the tunnel, the interesting traffic should be from the inside network(s) to any.

To allow Internet without going through the tunnel (in clear-text), the interesting traffic has to be just between inside networks.

Whats' exactly not working?

Federico.

rechard_hk Mon, 05/03/2010 - 00:12

Dear Federico,

Thanks you for your question!!!

For internet connection we don't care site to site tunnrel or without VPN tunnel ...

i just need, client at branch can access internet that share from HQ.

Coud you let me know how can i do?

Best Regards,

Rechard

Jennifer Halim Sun, 05/02/2010 - 18:42

Can you share a topology diagram of your network, and also does your ASA firewall include NAT statement for your branch office subnets for internet access, and ASA knows how to route back the traffic towards the LAN-to-LAN tunnel between the 2 routers?

rechard_hk Mon, 05/03/2010 - 00:27

Dear halijenn,

Ok, let me show you my diagram and some configuration as below:

On ASA

access-list inside_access_in extended permit ip any any

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 203.289.12.1

route inside 192.168.0.0 255.255.0.0 192.168.11.2      

On Core-Switch

ip route 0.0.0.0 0.0.0.0 192.168.11.1

ip route 192.168.10.0 255.255.255.0 192.168.12.1

On Router 2811 (HQ)

ip route 0.0.0.0 0.0.0.0 192.168.12.2

ip route 192.168.10.0 255.255.255.0 192.168.15.2

ip access-list extended ACL_VPN
permit ip any any

On Branch Router(1841)

ip route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended ACL_VPN
permit ip any any

The configuration as below it is working on share internet from HQ to branch. but when i change access list VPN on router 2811 and 1841 as below it does't work internet but client at brach can access to hq .

On Router 2811 (HQ)

ip route 0.0.0.0 0.0.0.0  192.168.12.2

ip route 192.168.10.0 255.255.255.0 192.168.15.2

ip  access-list extended ACL_VPN
  permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

On Branch Router(1841)

ip  route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended  ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

I don't why it doesn't work on internet connection only.

Attachment: 
rajatsetia Mon, 05/03/2010 - 03:20

drawing didnt came out well, kindly upload it again

and I think conf in red is a typo, as per details provided by you, it should be 12.0. otherwise VPN wonnt come up as ACLs needed to be mirror image of each other

are you using any proxy or every IP is getting NATed at ASA to access internet ?

On Branch Router(1841)

ip  route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended  ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

rgds

rechard_hk Mon, 05/03/2010 - 18:49

Dear rajatsetia,

Thanks you for your answer!!!

yes, i'm miss take 192.168.112.0 it should be 192.168.12.0.

I don't have proxy,every IP is getting NATed at ASA to access internet.

but it don't work when i permit ip address.

Best Regards,
Rechard

rajatsetia Tue, 05/04/2010 - 04:34

Dear Rechard,

Couple of things

- Confirm is ACL-VPN is only used for VPN purpose, not applied on any interface

- to troubleshoot this problem, you can do following things

  - create a loopback interface with IP Address outside the IP range of VPN interesting traffic

  - troubleshoot hop by hop basis, first create loopback on HQ-Router and try to ping the loopback from branch. Then on HQ-Switch. this way you can pin point where the problem is.

Not able to really think about exact issue, so relying on some basic troubleshooting.

Regards

Rajat

rechard_hk Tue, 05/04/2010 - 19:02

Dear rajatsetia,

Thanks you for you advise.

At HQ Router for Wan interface i use 192.168.15.1

should i assign loop ip 192.168.15.200 right?

At Branch Router for Wan interface i use 192.168.15.2

Should i assign loop ip 192.168.15.201 right?

How about ASA do we need to add something on ASA?

Best Regards,

Rechard

rajatsetia Wed, 05/05/2010 - 03:19

Hi,

I hope subnet of point to point link - 192.168.15.1/2 is /30. In this case you can use 192.168.15.200 as loopback on HQ router as 15.0 range is not part VPN traffic.

Also please confirm you have not applied any ACL on any of the interface (Branch, HQ Router, Switch, ASA). I hope ACL_VPN is only used for VPN purpose.

Regards.

rechard_hk Wed, 05/05/2010 - 03:39

Dear rajatsetia,

it ok for subnet /30 i can change to /24.

could you let me know more about interface loopback, i really not clear loopback when i create interface loop back how it process ( i mean branch can access internet to HQ)

Best Regards,

Rechard

rajatsetia Wed, 05/05/2010 - 03:56

Donnt change it to /24, /30 is perfect.

make an interface on HQ router

interface loopback 0

ip address 192.168.15.200 255.255.255.255

exit

then on HQ router - kindly check if you are getting route for this ip

show ip route 192.168.15.200

then try to ping this loopback IP address from branch router

** kindly confirm about the ACL which I asked in mylast two posts.

regards,

rechard_hk Wed, 05/05/2010 - 19:43

Dear rajatsetia,

Thanks you for you time and support!!!!

I will follow you to configure inter loop.

and will let you know the result.

Do i need add some route or not?

Best Regards,

rechard

Correct Answer
rajatsetia Wed, 05/05/2010 - 23:48

No need of any route.

am still waiting for your reply on ACL and it is an important input to the puzzle. If you can answer that we may not need to go thourgh all the troubleshooting.

I will be able to give you any response by tomorrow as few hours from now I will be travelling for whole day.

Regards,

Actions

This Discussion