Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
203
Views
0
Helpful
1
Replies

HELP ROUTING

mljevakovic
Level 3
Level 3

‎12-24-2003 09:46 AM - edited ‎03-09-2019 05:58 AM

I have more than three sites in VPN network: Central office SITE A, remote offices SITE B, SITE C, SITE D and remote dialup users with CVPC. I can establish VPN between SITE B,C,D and SITE A. I can ping from SITE A all private network on SITE B,C,D.Also I have to ping from Site B networks on site C,D but I CANNOT do it. I put static routes, access-lists but it doesn't work.

Also remote clients can connect to site B by CVPC but they cannot connect to site A.

Here are my config files from site A,B,C. Please, give me any kind of help what I have to do or where is my mistake?

SITE A#

username xxxx privilege 15 password 0 xxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE C no-xauth

crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE D no-xauth

crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE B no-xauth

crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE E no-xauth

crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0 no-xauth

!

crypto isakmp client configuration group xxxxxx

key xxxx

dns 192.168.1.100

domain domain.com

pool ippool

crypto isakmp profile VPNclient

description VPN clients profile

match identity group xxxxxx

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

crypto ipsec transform-set myset2 esp-des esp-md5-hmac

mode transport

crypto ipsec transform-set myset3 esp-des esp-md5-hmac

mode transport

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

crypto ipsec transform-set myset4 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

!

crypto dynamic-map rtpmap 11

set transform-set rtpset

match address 118

!

!

crypto map clientmap 5 ipsec-isakmp

set peer PUBLIC ADDRESS SITE C

set transform-set myset1

match address 115

crypto map clientmap 6 ipsec-isakmp

set peer PUBLIC ADDRESS SITE D

set transform-set myset2

match address 116

crypto map clientmap 7 ipsec-isakmp

set peer PUBLIC ADDRESS SITE B

set transform-set myset3

match address 117

crypto map clientmap 8 ipsec-isakmp

set peer PUBLIC ADDRESS SITE E

set transform-set myset4

match address 119

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 11 ipsec-isakmp dynamic rtpmap

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

description $FW_OUTSIDE$

ip address PUBLIC ADDRESS SITE A 255.255.255.252

no ip unreachables

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 192.168.200.1 192.168.200.254

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip http server

ip http authentication local

ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 DEFAULT GATEWAY SITE A

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip route 192.168.0.0 255.255.255.0 PUBLIC ADDRESS SITE C

ip route 192.168.10.0 255.255.255.0 PUBLIC ADDRESS SITE D

ip route 192.168.13.0 255.255.255.0 FastEthernet0/1

ip route 192.168.14.0 255.255.255.0 PUBLIC ADDRESS SITE E

ip route 193.77.75.0 255.255.255.0 PUBLIC ADDRESS SITE B

!

!

access-list 101 remark SDM_ACL Category=18

access-list 101 deny ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 remark SDM_ACL Category=20

access-list 115 permit ip 10.112.192.0 0.0.31.255 192.168.0.0 0.0.0.255

access-list 115 permit ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 116 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 116 permit ip 10.112.192.0 0.0.31.255 192.168.10.0 0.0.0.255

access-list 117 permit ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 10.112.192.0 0.0.31.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 118 remark SDM_ACL Category=20

access-list 118 permit ip 10.112.192.0 0.0.31.255 192.168.13.0 0.0.0.255

access-list 118 permit ip 193.77.75.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 119 permit ip 10.112.192.0 0.0.31.255 192.168.14.0 0.0.0.255

access-list 119 permit ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255

no cdp run

!

route-map nonat permit 10

match ip address 101

!

end

-----------------

SITE B#

username xxxxx privilege 15 password xxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE A

!

crypto isakmp client configuration group xxxxx

key xxxxx

dns 11.11.11.11

pool ipadrese

crypto isakmp profile VPNclient

description VPN clients profile

match identity group 1721client

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset3 esp-des esp-md5-hmac

mode transport

!

crypto dynamic-map dynmap 5

set transform-set myset3

set isakmp-profile VPNclient

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to SITE A

set peer PUBLIC ADDRESS SITE A

set transform-set myset3

match address 101

crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap

!

!

interface FastEthernet0

description $FW_INSIDE$$ETH-LAN$

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

speed auto

no cdp enable

!

interface Serial0

ip address PUBLIC ADDRESS SITE B 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

no cdp enable

crypto map SDM_CMAP_1

!

ip local pool ipadrese 192.168.220.1 192.168.220.254

ip nat inside source route-map SDM_RMAP_1 interface Serial0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 DEFAULT GATEWAY SITE B

ip route 10.112.192.0 255.255.224.0 192.168.1.101

ip route 192.168.0.0 255.255.255.0 192.168.1.1

ip route 192.168.13.0 255.255.255.0 192.168.1.1

ip route 192.168.14.0 255.255.255.0 192.168.1.1

ip route 192.168.220.0 255.255.255.0 Serial0

ip http server

ip http authentication local

ip http secure-server

!

!

!

ip access-list extended ios_web_exec

logging trap debugging

access-list 100 remark SDM_ACL Category=2

access-list 100 remark IPSec Rule

access-list 100 deny ip x.x.x.x 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip x.x.x.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 100 permit ip x.x.x.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.14.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

end

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎12-30-2003 12:26 PM

I just glanced through a couple of command and they look correct, but you can check the IP addressess as well as access-lists.

0 Helpful
Customers Also Viewed These Support Documents