Situation. 1 Hub, 2 Spokes (currently)
OSPF. Tunnels up. Routes showing ok.
All routers 1811. IOS 12.4 Adv IP Services.
All sites can ping all tunnel interfaces w/o issue.
LAN Traffic issues as follows:
Hub can ping spoke 1 node, but not spoke 2 node, trace shows traffic stopping at spoke 2 tunnel interface.
Spoke1 can get to HUBLAN, but now SPOKE2LAN. Trace shows Traffic gets to Spoke2 Tunnel Interface
Spoke2 can get to HUBLAN -AND- Spoke1LAN without any issue.
Checked NAT to ensure that SourceLAN-DestLAN is EXCLUDED for all site LANs (ie.: spoke1LAN-HUBLAN and spoke1LAN-Spoke2LAN at spoke1, etc)
If Spoke2 can get to both Hub and Spoke1, I can't figure out why neither the Hub, nor Spoke1 can get to it.
Its gotta be an ACL issue, I'm sure, but I don't see it.
ACLs at Spoke2:
ip access-list extended ACL-vlan1-out
remark Defines what traffic is allowed to leave the local LAN
remark Limits traffic to that coming from the assigned IP Range
permit icmp 192.168.100.0 0.0.0.255 any echo log-input
permit icmp 192.168.100.0 0.0.0.255 any echo-reply log-input
permit icmp 192.168.100.0 0.0.0.255 any traceroute
permit ip 192.168.100.0 0.0.0.255 any log-input
deny ip any any
ip access-list extended NAT-LIST
deny ip 192.168.100.0 0.0.0.255 172.16.1.0 0.0.0.255
deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.100.0 0.0.3.255 any
!
interface Vlan1
description LEGACY LAN
ip address 192.168.100.1 255.255.255.0
ip access-group ACL-Vlan1-Out in
ip nat inside
ip virtual-reassembly
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.252.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication NHRP_KEY
ip nhrp map multicast 68.225.80.199
ip nhrp map 192.168.252.1 68.225.80.199
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 192.168.252.1
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
