--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)
Current configuration : 2821 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxx
username xxxxx password 0 xxxxxxxx
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
crypto isakmp policy 5
crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth
It sounds like the next-hop router on the far (remote Intranet) side of the second 2611XM (192.168.1.101) needs a static route to your 192.168.0.0/24 via that 2611XM.
You said you can ping the second 2611XM (192.168.1.101) from 192.168.0.0/24 host addresses and you get a reply, so clearly that 2611XM knows how to find your branch office subnet. In fact, it knows how to reach your branch office subnet because of the static route that you said is on that router, which points to your first 2611XM as the next-hop.
The configurations on the routers under your control are fine. The problem is on one (or more?) routers at the remote Intranet site.
The remote Intranet (10.112.192.0/18) router(s) certainly know how to reach your 192.168.1.0/24 host addresses: they do it through the second 2611XM router (192.168.1.101), which is directly connected to your central office subnet.
So, either the remote Intranet routers do not have any route information telling them how to reach your branch office subnet; or, they have routes to that specific subnet that are pointing somewhere else, which would be the case if they already have somebody else using that IP subnet address.
I understand that those routers are outside of your control. You are going to have to ask whoever controls them to check whether they have a route in their tables for 192.168.0.0/24, and if yes, does it point to the second 2611XM at your central office. Ask them to ping a known working IP address on your branch office subnet.
It is also possible that if they have tight security on the remote Intranet routers, that access control lists may be blocking pings (ICMP) or restricting other protocols (TCP, UDP) from untrusted subnets. Your branch office subnet might be falling into that category. Again, you will need to talk to them about it. But have them check the simple stuff in the previous paragraph first.
There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?
2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem.
"There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?"
2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem."
1st - When you telnet to router are you using an extended ping??? Try using an extended ping with a source-address of 192.168.0.1 on the 1721. If you do not do this then you are sourcing from you PUBLIC ADDRESS.
2nd - The Crypto map access-list on the Central Office router needs to have an entry allowing ip traffic from 192.168.1.0/24 to 10.112.119.0/18. You have it in access-list 115 on the 1721 but not on the 2611, so when the 10.112.119.0/18 hosts recieve the ping they reply but the 2611 can not send it back through the tunnel. You also need to make sure that the 10.112.119.0/18 network has a route back to the 192.168.0.0/24 pointing to 192.168.1.1.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...