Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing 2 LAN - Network-extension mode

Hello,

I have one warehouse with two lan, a 1841 router connected to both and a 3g hwic card for internet connection. In the other side I have a 1721 as a VPN server. I'm able to connect an ezvpn session for only one lan, I.E. 192.168.27.x but I'm not able for routing traffic from 10.228.1.x to my lan 192.168.1.x

diagrama.jpg

I have this on R1:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group xxxx

key xxxxx

dns 192.168.1.253 192.168.1.192

pool roamerspool

acl SPLIT-TUNNEL

save-password

crypto ipsec transform-set esp-3des esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

crypto ipsec profile ipsec-prof

set transform-set esp-3des

set isakmp-profile xxxxx-prof

interface FastEthernet0

ip address 10.90.x.x 255.255.255.248

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1260

speed auto

!

interface Serial0

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

frame-relay traffic-shaping

frame-relay lmi-type q933a

!

interface Serial0.17 point-to-point

bandwidth 1984

ip address 82.159.x.x 255.255.255.254

ip nat outside

no ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 17 IETF

  class FR1M

interface Virtual-Template1 type tunnel

ip unnumbered Serial0.17

tunnel source Serial0.17

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-prof

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0.17

ip route 192.168.0.0 255.255.0.0 10.90.0.2

ip access-list extended SPLIT-TUNNEL

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.228.1.0 0.0.0.255 192.168.1.0 0.0.0.255

R2:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp keepalive 10 3 periodic

!

!

crypto ipsec transform-set esp-3des esp-3des esp-sha-hmac

!

crypto ipsec client ezvpn xxxx

connect auto

group xxxxx key xxxxx

local-address Cellular0/1/0

mode network-extension

peer 82.159.x.x

acl 150

username xxxxx password xxxxx

xauth userid mode local

!

interface FastEthernet0/0

ip address 192.168.22.252 255.255.255.0

duplex auto

speed auto

standby 1 ip 192.168.22.254

standby 1 priority 70

standby 1 preempt

standby 1 authentication xxxxx

standby 1 name xxxxx

crypto ipsec client ezvpn CADSA inside

!

interface FastEthernet0/1

ip address 10.228.1.252 255.255.255.0

duplex auto

speed auto

standby 2 ip 10.228.1.254

standby 2 priority 70

standby 2 preempt

standby 2 authentication xxxx

standby 2 name xxxxx

!

interface Cellular0/1/0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer in-band

dialer idle-timeout 0

dialer string gsm

dialer-group 1

async mode interactive

no ppp lcp fast-start

ppp chap hostname xxxx

ppp chap password 0 xxxx

ppp ipcp dns request

crypto ipsec client ezvpn xxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0

ip route 82.159.x.x 255.255.255.252 Cellular0/1/0

ip route 192.168.0.0 255.255.0.0 82.159.x.x

!

access-list 150 permit ip 192.168.27.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 permit ip 10.228.0.0 0.0.255.255 192.168.0.0 0.0.255.255

Between R1 and my 192.168.0.0 lan i have a fw filtering traffic only from 192.168.27.x and 10.228.1.0 to pass through.

Now I can ping from 192.168.27.254 one ip from 192.168.1.x but when i try from 10.228.1.254 i get time out. A traceroute from a pc 10.228.1.1 stops at 10.228.1.254

I don't know if what i'm trying isn't possible to do or it's something wrong in my config.

Thx in advance.

Everyone's tags (2)
388
Views
0
Helpful
0
Replies
CreatePlease to create content