Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing 2 LAN - Network-extension mode


I have one warehouse with two lan, a 1841 router connected to both and a 3g hwic card for internet connection. In the other side I have a 1721 as a VPN server. I'm able to connect an ezvpn session for only one lan, I.E. 192.168.27.x but I'm not able for routing traffic from 10.228.1.x to my lan 192.168.1.x


I have this on R1:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group xxxx

key xxxxx


pool roamerspool



crypto ipsec transform-set esp-3des esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

crypto ipsec profile ipsec-prof

set transform-set esp-3des

set isakmp-profile xxxxx-prof

interface FastEthernet0

ip address 10.90.x.x

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1260

speed auto


interface Serial0

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

frame-relay traffic-shaping

frame-relay lmi-type q933a


interface Serial0.17 point-to-point

bandwidth 1984

ip address 82.159.x.x

ip nat outside

no ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 17 IETF

  class FR1M

interface Virtual-Template1 type tunnel

ip unnumbered Serial0.17

tunnel source Serial0.17

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-prof

ip forward-protocol nd

ip route Serial0.17

ip route

ip access-list extended SPLIT-TUNNEL

permit ip any

permit ip


crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp keepalive 10 3 periodic



crypto ipsec transform-set esp-3des esp-3des esp-sha-hmac


crypto ipsec client ezvpn xxxx

connect auto

group xxxxx key xxxxx

local-address Cellular0/1/0

mode network-extension

peer 82.159.x.x

acl 150

username xxxxx password xxxxx

xauth userid mode local


interface FastEthernet0/0

ip address

duplex auto

speed auto

standby 1 ip

standby 1 priority 70

standby 1 preempt

standby 1 authentication xxxxx

standby 1 name xxxxx

crypto ipsec client ezvpn CADSA inside


interface FastEthernet0/1

ip address

duplex auto

speed auto

standby 2 ip

standby 2 priority 70

standby 2 preempt

standby 2 authentication xxxx

standby 2 name xxxxx


interface Cellular0/1/0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer in-band

dialer idle-timeout 0

dialer string gsm

dialer-group 1

async mode interactive

no ppp lcp fast-start

ppp chap hostname xxxx

ppp chap password 0 xxxx

ppp ipcp dns request

crypto ipsec client ezvpn xxxx


ip forward-protocol nd

ip route Cellular0/1/0

ip route 82.159.x.x Cellular0/1/0

ip route 82.159.x.x


access-list 150 permit ip

access-list 150 permit ip

Between R1 and my lan i have a fw filtering traffic only from 192.168.27.x and to pass through.

Now I can ping from one ip from 192.168.1.x but when i try from i get time out. A traceroute from a pc stops at

I don't know if what i'm trying isn't possible to do or it's something wrong in my config.

Thx in advance.

Everyone's tags (2)
CreatePlease to create content