Help with 1921 ISR Easy VPN Remote w/ access to Easy VPN Site to Site
I have two 1921 ISR routers configured with a site to site Easy VPN. I have configured each ISR's VPN ACLs so that all the private networks at each site can communicate with the other site's private networks. I have one of the 1921 ISRs also configured as an Easy VPN Server.
Problem: when a remote user connects to the Easy VPN Server the user can only access the private networks at the VPN Server site. I have added the IP network which is used for the remote users (i.e. Easy VPN Server IP pool) to each 1921's VPN ACL but the remote user still can not access the other sites private networks over the site to site VPN and vice versa.
Problem: I also have a problem with the Easy VPN Server not placing a static host route in its routing table once it establishes a remote connection to the remote user and provides the remote user with an IP address from the VPN Server IP pool. The VPN Server only performs this task the first time the user connects. If the user disconnects and reconnects the VPN Server router does not put the static host route back in its routing table for the new IP address given on the subsequent connect.
Re: Help with 1921 ISR Easy VPN Remote w/ access to Easy VPN Sit
Thanks Fredrico for your reply.
The topolgy is:
LAN A ----- Router A ------- Internet ------- Router B ----- LAN B (connection between LAN A and LAN B is site to site VPN)
Remote User ---------------------- ( remote user accesses LAN A via the VPN Server on Router A)
There is not NATing. Private LAN IP networks do not overlap between sites and remote users. I can not NAT as I am doing SIP VoIP calls between sites.
Problem is that even after adding the Remote User's IP network (which is from an IP pool the router A VPN server uses) to the ACLs of the site to site VPNs, the remote user can still only access LAN A, he can not access LAN B.
This may have something to do with it issue: I have seen that on ASA routers one must issue the command "same-security-traffic permit intra-network" to allow the security traffic entering Router A to exit Router A towards Router B (aka VPN hairpin). I have yet to determine what the comparable command is on an ISR router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...