Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing over VPN

I have a branch office with 1721 router (192.168.0.1) and a central office with 2611XM router (192.168.1.1). Also I have another 2611XM router (192.168.1.101) on the central office. I implemented VPN between VPN clients and the central office and also between the branch office and central office (192.168.1.1 router). CVPN clients can access remote Intranet (10.112.192.0/18) over the second 2611XM router (192.168.1.101) but clients from the branch office (192.168.0.0) cannot. Clients from 192.168.0.0/24 can ping 192.168.1.101 but cannot ping 10.112.192.0/18. Here are my two config file from the 1721 & 1st 2611XM. What do I have to do on my routers to access network 10.112.192.0/18. (Routers 192.168.1.101 has static route to 192.168.0.0 over 192.168.1.1. This router is not in my control. It makes another VPN to 10.112.192.0/18)

--

Central Office

Current configuration : 2821 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2611XM

!

enable secret xxxxx

enable password xxxxxxxx

!

username xxxxx password 0 xxxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address REMOTE PUBLIC IP ADDRESS no-xauth

!

crypto isakmp client configuration group xxxxxxxx

key xxxxxxxx

dns 192.168.1.100

domain domain.net

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp

set peer REMOTE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

ip address PUBLIC IP ADDRESS 255.255.255.252

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.100 10.1.1.200

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP ADDRESS

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip http server

!

!

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended dns-servers

ip access-list extended group-lock

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty66

ip access-list extended tunnel-password

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

route-map nonat permit 10

match ip address 101

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

!

!

end

-------------------

Remote office

Current configuration : 1509 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1721

!

logging queue-limit 100

enable password 7 xxxxxxxxx

!

memory-size iomem 25

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxxx address CENTRAL OFFICE PUBLIC IP ADDRESS no-xauth

!

!

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map test 5 ipsec-isakmp

set peer CENTRAL OFFICE PUBLIC IP ADDRESS

set transform-set myset1

match address 115

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

half-duplex

!

interface FastEthernet0

ip address PUBLIC IP ADDRESS 255.255.255.252

no ip proxy-arp

ip nat outside

speed auto

crypto map test

!

ip nat inside source route-map nonat interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 10.112.192.0 255.255.192.0 192.168.1.1

no ip http server

no ip http secure-server

!

!

!

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.63.255

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxx

login

!

end

1 REPLY
Gold

Re: routing over VPN

163
Views
0
Helpful
1
Replies
CreatePlease login to create content