12-24-2003 09:46 AM - edited 03-09-2019 05:58 AM
I have more than three sites in VPN network: Central office SITE A, remote offices SITE B, SITE C, SITE D and remote dialup users with CVPC. I can establish VPN between SITE B,C,D and SITE A. I can ping from SITE A all private network on SITE B,C,D.Also I have to ping from Site B networks on site C,D but I CANNOT do it. I put static routes, access-lists but it doesn't work.
Also remote clients can connect to site B by CVPC but they cannot connect to site A.
Here are my config files from site A,B,C. Please, give me any kind of help what I have to do or where is my mistake?
SITE A#
username xxxx privilege 15 password 0 xxxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE C no-xauth
crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE D no-xauth
crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE B no-xauth
crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE E no-xauth
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0 no-xauth
!
crypto isakmp client configuration group xxxxxx
key xxxx
dns 192.168.1.100
domain domain.com
pool ippool
crypto isakmp profile VPNclient
description VPN clients profile
match identity group xxxxxx
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set myset3 esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto ipsec transform-set myset4 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
!
crypto dynamic-map rtpmap 11
set transform-set rtpset
match address 118
!
!
crypto map clientmap 5 ipsec-isakmp
set peer PUBLIC ADDRESS SITE C
set transform-set myset1
match address 115
crypto map clientmap 6 ipsec-isakmp
set peer PUBLIC ADDRESS SITE D
set transform-set myset2
match address 116
crypto map clientmap 7 ipsec-isakmp
set peer PUBLIC ADDRESS SITE B
set transform-set myset3
match address 117
crypto map clientmap 8 ipsec-isakmp
set peer PUBLIC ADDRESS SITE E
set transform-set myset4
match address 119
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 11 ipsec-isakmp dynamic rtpmap
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip unreachables
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address PUBLIC ADDRESS SITE A 255.255.255.252
no ip unreachables
ip nat outside
no ip mroute-cache
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 192.168.200.1 192.168.200.254
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 DEFAULT GATEWAY SITE A
ip route 10.112.192.0 255.255.192.0 192.168.1.101
ip route 192.168.0.0 255.255.255.0 PUBLIC ADDRESS SITE C
ip route 192.168.10.0 255.255.255.0 PUBLIC ADDRESS SITE D
ip route 192.168.13.0 255.255.255.0 FastEthernet0/1
ip route 192.168.14.0 255.255.255.0 PUBLIC ADDRESS SITE E
ip route 193.77.75.0 255.255.255.0 PUBLIC ADDRESS SITE B
!
!
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 remark SDM_ACL Category=20
access-list 115 permit ip 10.112.192.0 0.0.31.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 116 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 116 permit ip 10.112.192.0 0.0.31.255 192.168.10.0 0.0.0.255
access-list 117 permit ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255
access-list 117 permit ip 10.112.192.0 0.0.31.255 193.77.75.0 0.0.0.255
access-list 117 permit ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255
access-list 118 remark SDM_ACL Category=20
access-list 118 permit ip 10.112.192.0 0.0.31.255 192.168.13.0 0.0.0.255
access-list 118 permit ip 193.77.75.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 119 permit ip 10.112.192.0 0.0.31.255 192.168.14.0 0.0.0.255
access-list 119 permit ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255
no cdp run
!
route-map nonat permit 10
match ip address 101
!
end
-----------------
SITE B#
username xxxxx privilege 15 password xxxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address PUBLIC ADDRESS SITE A
!
crypto isakmp client configuration group xxxxx
key xxxxx
dns 11.11.11.11
pool ipadrese
crypto isakmp profile VPNclient
description VPN clients profile
match identity group 1721client
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset3 esp-des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 5
set transform-set myset3
set isakmp-profile VPNclient
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to SITE A
set peer PUBLIC ADDRESS SITE A
set transform-set myset3
match address 101
crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
speed auto
no cdp enable
!
interface Serial0
ip address PUBLIC ADDRESS SITE B 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool ipadrese 192.168.220.1 192.168.220.254
ip nat inside source route-map SDM_RMAP_1 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 DEFAULT GATEWAY SITE B
ip route 10.112.192.0 255.255.224.0 192.168.1.101
ip route 192.168.0.0 255.255.255.0 192.168.1.1
ip route 192.168.13.0 255.255.255.0 192.168.1.1
ip route 192.168.14.0 255.255.255.0 192.168.1.1
ip route 192.168.220.0 255.255.255.0 Serial0
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended ios_web_exec
logging trap debugging
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip x.x.x.x 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip x.x.x.0 0.0.0.255 10.112.192.0 0.0.31.255
access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 deny ip x.x.x.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 100 permit ip x.x.x.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 10.112.192.0 0.0.31.255
access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 192.168.14.0 0.0.0.255
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
end
12-30-2003 12:26 PM
I just glanced through a couple of command and they look correct, but you can check the IP addressess as well as access-lists.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide