Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN config with multiple subnets

I am having some config issues with a new vpn tunnel with are trying implement using CenturyLink's VPN extensions service which is basically a CL managed VPN router into our MPLS network.

So I am able to get a tunnel up at the remote site to teh VPN extension, but I am not am not able to have ther other local subnets access the tunneled subnet unless they go over the vpn.  (Config is below).

So the mile high view is this, we have 4 subnets at the remote site, VLAN 1 is for workstations, VLAN 2 is for IP Phones, VLAN 3 is for IP Cameras, VLAN 4 is for printers.  The site has a DSL circuit and a MPLS T1 circuit.  Ideally the goal is to have VLANs 1, 3, 4 ride the DSL an VLAN 2 ride the MPLS, but at the same time be able to failback to the other should a circuit be down.  So we are starting small since CL is not too great with thier product either.  I have VLAN 3 running over DSL, but when I try to ping from VLAN 1 to VLAN 3 it has to go over the MPLS network even though VLAN 1 is Gig0/0.1 and 3 is on Gig0/0.3.

Any thoughts?

--- CONFIG ---

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 222.222.222.222

!

!

crypto ipsec transform-set vpn-3des-sha esp-3des esp-sha-hmac

!

crypto map centurylink-tunnel 1 ipsec-isakmp

description To CenturyLink

set peer 222.222.222.222

set transform-set vpn-3des-sha

match address 120

!

interface GigabitEthernet0/0

description LAN

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.115.1.1 255.255.255.0

ip helper-address 10.0.5.92

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 10.115.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/0.3

encapsulation dot1Q 3

ip address 10.10.10.1 255.255.255.0 secondary

ip address 10.115.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/0.4

encapsulation dot1Q 4

ip address 10.115.4.1 255.255.255.0

ip helper-address 10.0.5.92

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/2

description DSL

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Serial0/2/0

description MPLS

ip address 111.111.111.111 255.255.255.252

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

description ADSL WAN Dialer

ip address negotiated

no ip redirects

no ip unreachables

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication pap chap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

crypto map centurylink-tunnel

!

router bgp 65001

bgp log-neighbor-changes

network 10.115.1.0 mask 255.255.255.0

network 10.115.2.0 mask 255.255.255.0

network 10.115.4.0 mask 255.255.255.0

neighbor 111.111.111.112 remote-as 209

neighbor 111.111.111.112 soft-reconfiguration inbound

!

ip forward-protocol nd

no ip forward-protocol udp tftp

no ip forward-protocol udp tacacs

!

ip nat inside source list 121 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 111.111.111.112 10

ip route 222.222.222.222 255.255.255.255 Dialer0

!

ip access-list extended MPLS

permit ip 10.115.1.0 0.0.0.255 any

permit ip 10.115.2.0 0.0.0.255 any

permit ip 10.115.4.0 0.0.0.255 any

ip access-list extended VPN

permit ip 10.115.3.0 0.0.0.255 any

!

access-list 120 permit ip 10.115.3.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 121 deny   ip 10.115.3.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 121 permit ip 10.115.3.0 0.0.0.255 any

!

!

!

!

route-map PBR permit 5

match ip address MPLS

set ip next-hop 111.111.111.112

!

route-map PBR permit 10

match ip address VPN

set interface Dialer0

130
Views
0
Helpful
0
Replies
CreatePlease to create content