Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

accessing a subnet via VPN session

Hi everybody.

I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.

in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.

local network: 10.30.0.0 0.0.0.0

remote network 10.31.0.0 0.0.0.0

ASA

object-group network remote-network

network-object 172.16.27.0 255.255.255.0

network-object 10.31.0.0 255.255.0.0

object-group network network-local

network-object 0.0.0.0 0.0.0.0

access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0

Router 3800

ip access-list extended vpn

  permit ip 10.31.0.0 0.0.255.255 any

Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.

Regards and Thanks very much!!

3 REPLIES
Silver

accessing a subnet via VPN session

Hey Marco,

Have u configured a separate VPN client Group on the remote site?

Can you share the whole show run for the remote box?

If you have already configured the group, then pls send the logs from the vpn client.

To set the logs, click the log option and choose enable, the go choose Log Settings and choose all 3-High

lemme know

thanks

ankur

New Member

accessing a subnet via VPN session

Hi Ankur, thanks very much for your reply!

this is the "sho run" in my remote router:

I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"

this is a simple diagram of where I want to connect to:

REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS

(10.31.0.0/24 network)                                                                                      (10.30.0.0/16network)

                                                                                                                                        |

                                                                                                                                        |

                                                                                                                                        |

                                                                                                                                        |

                                                                                                                              REMOTE USER

                                                                                                                             (10.30.23.130/25)

REMOTESITE#sho run

Building configuration...

Current configuration : 10834 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname PYASU1ROU01

!

boot-start-marker

boot-end-marker

!

logging buffered 64000 debugging

no logging console

!

aaa new-model

!

!

!

aaa authentication login default group tac-auth local

aaa authentication enable default group tac-auth enable

aaa authorization console

aaa authorization exec default group tac-auth local if-authenticated

aaa authorization network default local

aaa accounting exec default start-stop group tac-auth

!

aaa session-id common

clock timezone PR -3

ip cef

!

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

crypto pki trustpoint TP-self-signed-4112391703

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4112391703

revocation-check none

rsakeypair TP-self-signed-4112391703

!

!

crypto pki certificate chain TP-self-signed-4112391703

certificate self-signed 01

  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430

  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233

  39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C

  95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793

  A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87

  DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3

  D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603

  551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680

  14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414

  C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101

  04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8

  B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746

  31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224

  91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2

  94350AFF EA7CB2

  quit

username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1

username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

crypto keyring apex

  pre-shared-key address "headquerters public ip address"

key apex

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile companyname

   keyring apex

   match identity address "headquerters public ip address"

!

!

crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac

crypto ipsec transform-set 3DES esp-3des esp-sha-hmac

!

crypto map outside 10 ipsec-isakmp

set peer "headquerters public ip address"

set transform-set 3DES

set isakmp-profile companyname

match address vpn-companyname

!

!

!

!

interface Loopback1

description monitoreo

ip address 10.31.21.255 255.255.255.255

!

interface GigabitEthernet0/0

description Teysa

ip address public ip address

ip nat outside

no ip virtual-reassembly

load-interval 30

duplex auto

speed auto

media-type rj45

crypto map outside

!

interface GigabitEthernet0/1

description TO CORE-SW

ip address 192.168.255.249 255.255.255.252

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface FastEthernet0/0/0

switchport access vlan 2

duplex full

speed 100

!

interface FastEthernet0/0/1

switchport access vlan 10

shutdown

duplex full

speed 100

!

interface FastEthernet0/0/2

switchport mode trunk

shutdown

!

interface FastEthernet0/0/3

switchport access vlan 10

shutdown

duplex full

speed 100

!

interface Vlan1

no ip address

!

!

!

no ip http server

ip http authentication aaa login-authentication default

ip http authentication aaa exec-authorization default

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nat interface GigabitEthernet0/0 overload

!

ip access-list extended nat

deny   ip host 172.16.27.236 10.0.0.0 0.255.255.255

deny   ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny   ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.31.11.0 0.0.0.255 any

permit ip 10.31.13.0 0.0.0.255 any

permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93

permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46

permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127

permit ip 172.16.27.224 0.0.0.31 any

ip access-list extended vpn-apex

permit ip 10.50.20.0 0.0.1.255 any

permit ip 172.16.27.0 0.0.0.255 any

permit ip 10.31.0.0 0.0.255.255 any

permit ip 10.30.0.0 0.0.255.255 any

!

!

route-map nat permit 10

match ip address nat

!

!

!

control-plane

!

!

!

!

line con 0

password 7 xxxxxxxxxx

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password 7 xxxxxxxxxx

!

scheduler allocate 20000 1000

ntp server 10.30.5.38

!

end

REMOTESITE#

Regards!

Silver

accessing a subnet via VPN session

Thanks!

Well i am still not clear with the question itself....

Please correct me if i wrong----

You have lan to lan tunnel between ASA Hub----------------------Router (Remote)

                                                                |

                                                                |

                                              Vpn Client from Home

So from home you connect to ASA using a  vpn client (Client terminate on ASA) ?

and then as you have lan to lan tunnel between 2 , so you want to access the subnets behind the Remote Router, is this the correct understanding?

If yes then please share the ASA configuration as well?

Thanks

Ankur

846
Views
0
Helpful
3
Replies
CreatePlease login to create content