09-03-2003 06:05 AM - edited 03-02-2019 10:03 AM
I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)
--
Central Office
Current configuration : 2821 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2611XM
!
enable secret 5 $1$CJ.F$XtuSBlPaR7kaMkGvRw.eK0
enable password xxxxxxxx
!
username xxxxx password 0 xxxxxxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth
!
crypto isakmp client configuration group xxxxxxxx
key xxxxxxxx
dns 192.168.1.100
domain domain.net
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer REMOTE PUBLIC IP ADDRESS
set transform-set myset1
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address PUBLIC IP ADDRESS 255.255.255.252
ip nat outside
no ip mroute-cache
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.1.1.100 10.1.1.200
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP ADDRESS
ip route 10.112.192.0 255.255.192.0 192.168.1.101
ip http server
!
!
ip access-list extended addr-pool
ip access-list extended default-domain
ip access-list extended dns-servers
ip access-list extended group-lock
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended timeout
ip access-list extended tty66
ip access-list extended tunnel-password
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
route-map nonat permit 10
match ip address 101
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxx
!
!
end
-------------------
Remote office
Current configuration : 1509 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1721
!
logging queue-limit 100
enable password 7 xxxxxxxxx
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxxxx address CENTRAL OFFICE PUBLIC IP ADDRESS no-xauth
!
!
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto map test 5 ipsec-isakmp
set peer CENTRAL OFFICE PUBLIC IP ADDRESS
set transform-set myset1
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
half-duplex
!
interface FastEthernet0
ip address PUBLIC IP ADDRESS 255.255.255.252
no ip proxy-arp
ip nat outside
speed auto
crypto map test
!
ip nat inside source route-map nonat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 10.112.192.0 255.255.192.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
line aux 0
line vty 0 4
password 7 xxxxxx
login
!
end
09-03-2003 06:31 AM
From the first look at it, I would say that the routers in 10.112.192.0/18 don't know how to get back to 192.168.0.0/24. Of course, a trace would help more to identify where the failure is.
The interesting comment you make is: "CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101)..." What address space do these CVPN clients belong to?? Are they accessing the same (specific) destinations as your branch is??
Alvaro.
09-04-2003 10:18 PM
IP pool for CVPN clients is 10.1.1.100-10.1.1.200.
There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?
2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide