cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
238
Views
0
Helpful
4
Replies

routing trough VPN

mljevakovic
Level 3
Level 3

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)

--

Central Office

Current configuration : 2821 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2611XM

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxx

!

username xxxxx password 0 xxxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth

!

crypto isakmp client configuration group xxxxxxxx

key xxxxxxxx

dns 192.168.1.100

domain domain.net

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp

set peer REMOTE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

ip address PUBLIC IP ADDRESS 255.255.255.252

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.100 10.1.1.200

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP ADDRESS

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip http server

!

!

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended dns-servers

ip access-list extended group-lock

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty66

ip access-list extended tunnel-password

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

route-map nonat permit 10

match ip address 101

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

!

!

end

-------------------

Remote office

Current configuration : 1509 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1721

!

logging queue-limit 100

enable password 7 xxxxxxxxx

!

memory-size iomem 25

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address CENTRAL OFFICE PUBLIC IP ADDRESS no-xauth

!

!

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map test 5 ipsec-isakmp

set peer CENTRAL OFFICE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

half-duplex

!

interface FastEthernet0

ip address PUBLIC IP ADDRESS 255.255.255.252

no ip proxy-arp

ip nat outside

speed auto

crypto map test

!

ip nat inside source route-map nonat interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 10.112.192.0 255.255.192.0 192.168.1.1

no ip http server

no ip http secure-server

!

!

!

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxx

login

!

end

4 Replies 4

konigl
Level 7
Level 7

It sounds like the next-hop router on the far (remote Intranet) side of the second 2611XM (192.168.1.101) needs a static route to your 192.168.0.0/24 via that 2611XM.

You said you can ping the second 2611XM (192.168.1.101) from 192.168.0.0/24 host addresses and you get a reply, so clearly that 2611XM knows how to find your branch office subnet. In fact, it knows how to reach your branch office subnet because of the static route that you said is on that router, which points to your first 2611XM as the next-hop.

The configurations on the routers under your control are fine. The problem is on one (or more?) routers at the remote Intranet site.

The remote Intranet (10.112.192.0/18) router(s) certainly know how to reach your 192.168.1.0/24 host addresses: they do it through the second 2611XM router (192.168.1.101), which is directly connected to your central office subnet.

So, either the remote Intranet routers do not have any route information telling them how to reach your branch office subnet; or, they have routes to that specific subnet that are pointing somewhere else, which would be the case if they already have somebody else using that IP subnet address.

I understand that those routers are outside of your control. You are going to have to ask whoever controls them to check whether they have a route in their tables for 192.168.0.0/24, and if yes, does it point to the second 2611XM at your central office. Ask them to ping a known working IP address on your branch office subnet.

It is also possible that if they have tight security on the remote Intranet routers, that access control lists may be blocking pings (ICMP) or restricting other protocols (TCP, UDP) from untrusted subnets. Your branch office subnet might be falling into that category. Again, you will need to talk to them about it. But have them check the simple stuff in the previous paragraph first.

Hope this helps.

There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?

2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem.

Is there any answer on this:

"There are two situations: 1st: when I'm on the router 1721 (192.168.0.1) with Telnet I cannot ping from the router any host on LAN 192.168.1.0/24, also I cannot ping any host on LAN 192.168.0.0/24 from router 2611XM (192.168.1.1/24)when I'm with telnet on him. In the same time any host from these two LANs can ping each others. Is this OK?"

2nd: when I make traceroute from a host on LAN 192.168.0.0/24 to 10.112.206.30 (a host on 10.112.119.0/18) I get just one hop (192.168.0.1).I said last time that I can ping 192.168.1.101 without problem."

Answer:

1st - When you telnet to router are you using an extended ping??? Try using an extended ping with a source-address of 192.168.0.1 on the 1721. If you do not do this then you are sourcing from you PUBLIC ADDRESS.

2nd - The Crypto map access-list on the Central Office router needs to have an entry allowing ip traffic from 192.168.1.0/24 to 10.112.119.0/18. You have it in access-list 115 on the 1721 but not on the 2611, so when the 10.112.119.0/18 hosts recieve the ping they reply but the 2611 can not send it back through the tunnel. You also need to make sure that the 10.112.119.0/18 network has a route back to the 192.168.0.0/24 pointing to 192.168.1.1.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco