09-02-2003 12:21 PM - edited 03-02-2019 10:02 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)
--
Central Office
Current configuration : 2821 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2611XM
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxx
!
username xxxxx password 0 xxxxxxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth
!
crypto isakmp client configuration group xxxxxxxx
key xxxxxxxx
dns 192.168.1.100
domain domain.net
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer REMOTE PUBLIC IP ADDRESS
set transform-set myset1
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address PUBLIC IP ADDRESS 255.255.255.252
ip nat outside
no ip mroute-cache
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.1.1.100 10.1.1.200
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP ADDRESS
ip route 10.112.192.0 255.255.192.0 192.168.1.101
ip http server
!
!
ip access-list extended addr-pool
ip access-list extended default-domain
ip access-list extended dns-servers
ip access-list extended group-lock
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended timeout
ip access-list extended tty66
ip access-list extended tunnel-password
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
route-map nonat permit 10
match ip address 101
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxx
!
!
end
-------------------
Remote office
Current configuration : 1509 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1721
!
logging queue-limit 100
enable password 7 xxxxxxxxx
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxxxx address CENTRAL OFFICE PUBLIC IP ADDRESS no-xauth
!
!
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto map test 5 ipsec-isakmp
set peer CENTRAL OFFICE PUBLIC IP ADDRESS
set transform-set myset1
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
half-duplex
!
interface FastEthernet0
ip address PUBLIC IP ADDRESS 255.255.255.252
no ip proxy-arp
ip nat outside
speed auto
crypto map test
!
ip nat inside source route-map nonat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 10.112.192.0 255.255.192.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
line aux 0
line vty 0 4
password 7 xxxxxx
login
!
end
09-03-2003 06:25 AM
It sounds like the next-hop router on the far (remote Intranet) side of the second 2611XM (192.168.1.101) needs a static route to your 192.168.0.0/24 via that 2611XM.
You said you can ping the second 2611XM (192.168.1.101) from 192.168.0.0/24 host addresses and you get a reply, so clearly that 2611XM knows how to find your branch office subnet. In fact, it knows how to reach your branch office subnet because of the static route that you said is on that router, which points to your first 2611XM as the next-hop.
The configurations on the routers under your control are fine. The problem is on one (or more?) routers at the remote Intranet site.
The remote Intranet (10.112.192.0/18) router(s) certainly know how to reach your 192.168.1.0/24 host addresses: they do it through the second 2611XM router (192.168.1.101), which is directly connected to your central office subnet.
So, either the remote Intranet routers do not have any route information telling them how to reach your branch office subnet; or, they have routes to that specific subnet that are pointing somewhere else, which would be the case if they already have somebody else using that IP subnet address.
I understand that those routers are outside of your control. You are going to have to ask whoever controls them to check whether they have a route in their tables for 192.168.0.0/24, and if yes, does it point to the second 2611XM at your central office. Ask them to ping a known working IP address on your branch office subnet.
It is also possible that if they have tight security on the remote Intranet routers, that access control lists may be blocking pings (ICMP) or restricting other protocols (TCP, UDP) from untrusted subnets. Your branch office subnet might be falling into that category. Again, you will need to talk to them about it. But have them check the simple stuff in the previous paragraph first.
Hope this helps.
09-04-2003 08:24 AM
There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?
2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem.
09-09-2003 09:14 AM
Is there any answer on this:
"There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?"
2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem."
09-09-2003 01:32 PM
Answer:
1st - When you telnet to router are you using an extended ping??? Try using an extended ping with a source-address of 192.168.0.1 on the 1721. If you do not do this then you are sourcing from you PUBLIC ADDRESS.
2nd - The Crypto map access-list on the Central Office router needs to have an entry allowing ip traffic from 192.168.1.0/24 to 10.112.119.0/18. You have it in access-list 115 on the 1721 but not on the 2611, so when the 10.112.119.0/18 hosts recieve the ping they reply but the 2611 can not send it back through the tunnel. You also need to make sure that the 10.112.119.0/18 network has a route back to the 192.168.0.0/24 pointing to 192.168.1.1.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: