routing problem

Unanswered Question
Sep 3rd, 2003
User Badges:

I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)

--

Central Office


Current configuration : 2821 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2611XM

!

enable secret 5 $1$CJ.F$XtuSBlPaR7kaMkGvRw.eK0

enable password xxxxxxxx

!

username xxxxx password 0 xxxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth

!

crypto isakmp client configuration group xxxxxxxx

key xxxxxxxx

dns 192.168.1.100

domain domain.net

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp

set peer REMOTE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

ip address PUBLIC IP ADDRESS 255.255.255.252

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.100 10.1.1.200

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP ADDRESS

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip http server

!

!

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended dns-servers

ip access-list extended group-lock

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty66

ip access-list extended tunnel-password

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

route-map nonat permit 10

match ip address 101

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

!

!

end



-------------------

Remote office




Current configuration : 1509 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1721

!

logging queue-limit 100

enable password 7 xxxxxxxxx

!

memory-size iomem 25

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address CENTRAL OFFICE PUBLIC IP ADDRESS no-xauth

!

!

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map test 5 ipsec-isakmp

set peer CENTRAL OFFICE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

half-duplex

!

interface FastEthernet0

ip address PUBLIC IP ADDRESS 255.255.255.252

no ip proxy-arp

ip nat outside

speed auto

crypto map test

!

ip nat inside source route-map nonat interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 10.112.192.0 255.255.192.0 192.168.1.1

no ip http server

no ip http secure-server

!

!

!

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxx

login

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aretana Wed, 09/03/2003 - 06:31
User Badges:
  • Cisco Employee,

From the first look at it, I would say that the routers in 10.112.192.0/18 don't know how to get back to 192.168.0.0/24. Of course, a trace would help more to identify where the failure is.


The interesting comment you make is: "CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101)..." What address space do these CVPN clients belong to?? Are they accessing the same (specific) destinations as your branch is??


Alvaro.

mljevakovic Thu, 09/04/2003 - 22:18
User Badges:

IP pool for CVPN clients is 10.1.1.100-10.1.1.200.


There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?


2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem.


Actions

This Discussion