Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

route traffic to VPN

Hi,

We would like to access the PC from R3 (192.168.16 and 192.168.17) to R1 (192.100.0 and 192.168.101) segment. There is one VPN between R1 and R2. we would like to make use of the VPN session to do it. However, we cannot ping 192.168.100.0 segment. anything missing? pls advise

Best regards

Follow is the config for your refer

R3

---

! 192.168.16.1

!

inter fastether 0

ip address 192.168.16.1 255.255.255.0

inter fastether 0

ip address 192.168.17.1 255.255.255.0

inter serial 0

ip address 172.16.254.17 255.255.255.252

ip route 192.168.100.0 0.0.1.255 172.16.254.18

R2

------

! 192.168.31.0

!

inter fastether 2

ip address 192.168.31.1 255.255.255.0

!

inter serial 0

ip address 172.16.254.18 255.255.255.252

!

crypto isakmp key owt address 203.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN from 192.168.31.0 segment to tw 192.168.100.0/23 segment

set peer 203.x.x.x

set transform-set myset

match address 104

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.1.0 0.0.0.255

ip route 192.168.16.0 0.0.1.255 172.16.254.17

----

R1

! 192.168.100.1

crypto isakmp key owt address 200.x.x.x

crypto map mymap 104 ipsec-isakmp

description VPN to to hk

set peer 200.x.x.x.

set transform-set myset

match address 104

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

interface GigabitEthernet0/1

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.101.1 255.255.255.0

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: route traffic to VPN

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

5 REPLIES
New Member

Re: route traffic to VPN

It looks like access-list 104 isn't including the right traffic but there isn't enough information given to be sure.

What is the IP address of the PC?

Am I correct in saying that you want to access the PC from both 192.168.16.1 and 192.168.17.1?

New Member

Re: route traffic to VPN

Hi,

Yes, from 192.168.16.5 (or 192.168.17.5) to PC 192.168.100.200 and 192.168.101.200.

Thanks

Best regards

Re: route traffic to VPN

The traffic from R1 to R3 and vice versa is missing from the crypto access list. Add this config and try.

R2:

access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.100.0.0 0.0.0.255

access-list 104 permit ip 192.168.17.0 0.0.0.255 192.168.101.0.0 0.0.0.255

R1:

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.17.0 0.0.0.255

HTH

Sundar

New Member

Re: route traffic to VPN

The following ACL will specifically allow 16.5 and 17.5 to 100.200 and 101.200 and vice versa. You may or may not want to make it more inclusive, but this does exactly what you asked for, no more.

R1

access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip 192.168.101.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 104 permit ip host 192.168.100.0 host 192.168.16.5

access-list 104 permit ip host 192.168.101.0 host 192.168.17.5

R2

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 104 permit ip 192.168.31.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 104 permit ip host 192.168.16.5 host 192.168.100.200

access-list 104 permit ip host 192.168.17.5 host 192.168.101.200

Silver

Re: route traffic to VPN

When setting up ACL for crypto maps, you have to specify traffic in BOTH directions. Use advise from above posts, and it should work.

126
Views
5
Helpful
5
Replies
CreatePlease to create content