Since the configuration for NAT was already in the configuration I assumed that it was needed. And as written the address translation would prevent the site B to site C VPN from working. The choices are either to remove the configuration of address translation (which I believe would be a mistake) or to make sure that the translation does not attempt to translate traffic between B and C over the VPN.

HTH

Rick

Hello Richard,

When I applied the following commands Network went down and also applied cypto map 138 entry

access-list 138 deny   ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 138 deny   ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255

access-list 138 permit ip 10.11.4.0 0.0.0.255 any

Actually 192.168.0.0 is connected to head office and 10.11.4.0 and 10.11.10.0 are branch offices. I am trying to connect between brnach offices.

Here what I observed.

If I apply the following command Computers  remote site was able to reach only to Oracle Server at head office and Internet at Branch office was down.

access-list 135 permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

When I applied these Two commands Network came up. Inetrnet and Oracle server was working and were reachable.

access-list 138 deny   ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 138 permit ip 10.11.4.0 0.0.0.255 any.

Let me know. Am I doing anything wrong? Actually I applied access-list 138. I was able to access remotely via putty but users at remote site were not able to use Internet as well as their connection to head office was disconnected. Help needed. Thank you.

Lili

You mention applying various access lists but it is not clear how you applied the access lists and it seems that you are a bit confused about them. So let me try to explain what you need. You need one crypto map which is applied to the outgoing/public interface. In the single crypto map are two instances. 10 is for the VPN to site A and 20 is the instance for the VPN between B and C. You need 2 access lists for VPN. Access list 135 is used in crypto map 10 for site A VPN and access list 101 is used in crypto map 20 for B to C VPN. You need 1 access list for address translation. This access list should deny traffic from the local subnet to the subnet of site A and to the subnet of the other branch and then should permit traffic from the local subnet. If you configure and apply the access lists in this way I do not see why any connectivity would be impacted.

HTH

Rick

Hi Lili,

according to the ping result you have a problem with access-list

I make a clean up in your access-list and I will post the correct one.

regards,

Hello Hardi,

Thank you for the reply. I am waiting for your configuration. Please post it if possible. Thanks again.

Hello,

the NAT configruration is not correct. please remove the current configuration but you have to apply this configuration through a consol cable.

for site B change the NAT & NAT access list as a below:

ip access-list extended NAT_ACL_B

deny  ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255

permit ip 10.11.4.0 0.0.0.255

ip nat inside source list NAT_ACL_B interface FastEthernet 0/0 overload

also apply below configuratioin for Site_C:

ip access-list extended NAT_ACL_C

deny   ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 10.11.10.0 0.0.0.255

ip nat inside source list NAT_ACL_C interface FastEthernet 0/0 overload

make sure you have the same configuration on HQ Router.

Hello Hardi,

Actually head office private network is 192.168.0.0/16 <----- SITE A

I am trying to connect Between Site B to Site C.

Now I will make it simple for you to understand.

Site B network is 10.11.4.0/24 and Site c Network is 10.11.10.0/24

However, Site B and C are already connected to head office"Site A" and their SIte to Site VPN is UP. I want to configure between Site B and Site C. Without disturbing Site to Site VPN connectivity of both branches which is Site B and Site C which are already connected to Site A which is Head office.

We have to add 1 extra VPN in Site B and Site C. We should create a tunnel between both of them.

So here you suggested me to delete access list as well as NAT entry. Here are your steps which I edited please check if both of them are correct, in additional if you want to add anything or correct it. Please remove add and correct.

ip access-list extended NAT_ACL_B

deny  ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255

deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 10.11.4.0 0.0.0.255

ip nat inside source list NAT_ACL_B interface FastEthernet 0/0 overload

also apply below configuratioin for Site_C:

ip access-list extended NAT_ACL_C

deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 10.11.10.0 0.0.0.255 10.11.4.0  0.0.0.255

permit ip 10.11.10.0 0.0.0.255

ip nat inside source list NAT_ACL_C interface FastEthernet 0/0 overload

Actually I am trying to learn here sorry for troubling you. Also clear my doubt what we have to configure at match address in crypto map configuration?

crypto map VPN_ITC 20 ipsec-isakmp

set peer  87.101.54.74

set transform-set VPN_ITC_TS

match address "101" <--------

Please let us solve this problem. Thank you.

Hi Lili,

you added Site IP address, the NAT process is correct as well as the ACL.

for each map you have to creat a policy and can match with its the specific address. site B&A should mutch in address 101 and sites B &C should match in address 135.

please apply this and let me know about the result.

regards,

Hello Hardi,

I know I am troubling you sorry for that. Its looking little bit tuff to me. However, I tried method which is in configuration

it didn't work, As you told me that Nat and access list has to be configured and existing configuration have to be removed.  Could you please post the access-list and Nat configuration from Site A to Site B and Site A to C then followed by our configuration from Site B to Site C. Our main focus is on Site-B to Site-C. Then Site C to Site B. Well its a mess. Any help will be very very helpful as I am trying to learn. Lets solve this issue.

Note: Public IP for SIte A 87.101.158.218 and Private IP 192.168.0.0/16

         Public IP for Site B 87.101.54.74 and Private IP 10.11.4.0/24

         Public IP for Site C 87.101.80.94 and Private IP 10.11.10.0/24

Note: IPs are edited and changed. Just for Understanding.

Hello Lili,

depending on your IP addresses that you provided I creat a template for each site. 

first of all, please provide below requested information:

1- what is the current status VPN connection between the different sites, wht is VPN state in each site?

2- end-users can get access to internet service or not?

3- what kind of service you want to be active through using VPN connection?

4- what is the perpose of creating VPN connection between site B and C?

please don't hesitate to contact.

regards,

Hello Hardi,

1. Site to Site VPN is UP from Site-A head office to Site B branch office and from Site-A Head office to Site-B branch office. Now requirement is we need to add additional VPN from Site B to SIte C. Just let us forget about SIte A connectivity. As we know VPN is already up from SIte A for both SITE B and C Branches. We are here to focus on Site B to Site C.

2. End Users can access to the Internet at the moment. You can also have look at the public IP its mentioned above.

3.Users from Site B and Site C access to Oracle servers kept in Head office Site-A

4. Actually printer is installed at Site C its ip is 10.11.10.222/24 and we want to print it from Site B branch Hosts with 10.11.4.0/24 Network. Printer is of Oracle pikslip it runs on programming. we Have to create tunnel between site B and Site C so that. Users can print to Site C Printer.

Hello Lili,

I got your requiredment, I come back soon.

should let me know if you need anything else.

regards,

Hardi

Hello Hardi,

Nothing else. Thank you so much. You were very helful. It is just that am a starter I deal with this kind of problem before but not this serious. I appreciate your help.

Hello Hardi Issue solved. Thank you so much for your support.