Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site to site have problem with permit ip ?

Dear All,

I have some question to ask you that i have some problem with VPN site to site. let me tell you ...

At HQ i have ASA 5510 (for Internet connection) and Router 2811 link to Branch connection by VPN connection. for Branch we used Router 1841.

So on configuration on cisco 2811 and 1841 when i permit ip any any so the branch can access internet.( i mean that HQ share internet to Branch)

but i when i permit ip and host, the branch cann access to HQ but they cannot access internet.

Could you let me know how can the branch acces internet?

Best Regards,
Rechard

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: VPN site to site have problem with permit ip ?

No need of any route.

am still waiting for your reply on ACL and it is an important input to the puzzle. If you can answer that we may not need to go thourgh all the troubleshooting.

I will be able to give you any response by tomorrow as few hours from now I will be travelling for whole day.

Regards,

13 REPLIES

Re: VPN site to site have problem with permit ip ?

Hi,

You want the branch office to have Internet through the site-to-site tunnel or without going through the tunnel?

To allow Internet through the tunnel, the interesting traffic should be from the inside network(s) to any.

To allow Internet without going through the tunnel (in clear-text), the interesting traffic has to be just between inside networks.

Whats' exactly not working?

Federico.

New Member

Re: VPN site to site have problem with permit ip ?

Dear Federico,

Thanks you for your question!!!

For internet connection we don't care site to site tunnrel or without VPN tunnel ...

i just need, client at branch can access internet that share from HQ.

Coud you let me know how can i do?

Best Regards,

Rechard

Cisco Employee

Re: VPN site to site have problem with permit ip ?

Can you share a topology diagram of your network, and also does your ASA firewall include NAT statement for your branch office subnets for internet access, and ASA knows how to route back the traffic towards the LAN-to-LAN tunnel between the 2 routers?

New Member

Re: VPN site to site have problem with permit ip ?

Dear halijenn,

Ok, let me show you my diagram and some configuration as below:

On ASA

access-list inside_access_in extended permit ip any any

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 203.289.12.1

route inside 192.168.0.0 255.255.0.0 192.168.11.2      

On Core-Switch

ip route 0.0.0.0 0.0.0.0 192.168.11.1

ip route 192.168.10.0 255.255.255.0 192.168.12.1

On Router 2811 (HQ)

ip route 0.0.0.0 0.0.0.0 192.168.12.2

ip route 192.168.10.0 255.255.255.0 192.168.15.2

ip access-list extended ACL_VPN
permit ip any any

On Branch Router(1841)

ip route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended ACL_VPN
permit ip any any

The configuration as below it is working on share internet from HQ to branch. but when i change access list VPN on router 2811 and 1841 as below it does't work internet but client at brach can access to hq .

On Router 2811 (HQ)

ip route 0.0.0.0 0.0.0.0  192.168.12.2

ip route 192.168.10.0 255.255.255.0 192.168.15.2

ip  access-list extended ACL_VPN
  permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

On Branch Router(1841)

ip  route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended  ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

I don't why it doesn't work on internet connection only.

Bronze

Re: VPN site to site have problem with permit ip ?

drawing didnt came out well, kindly upload it again

and I think conf in red is a typo, as per details provided by you, it should be 12.0. otherwise VPN wonnt come up as ACLs needed to be mirror image of each other

are you using any proxy or every IP is getting NATed at ASA to access internet ?

On Branch Router(1841)

ip  route 0.0.0.0 0.0.0.0 192.168.15.1

ip access-list extended  ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

rgds

New Member

Re: VPN site to site have problem with permit ip ?

Dear rajatsetia,

Thanks you for your answer!!!

yes, i'm miss take 192.168.112.0 it should be 192.168.12.0.

I don't have proxy,every IP is getting NATed at ASA to access internet.

but it don't work when i permit ip address.

Best Regards,
Rechard

Bronze

Re: VPN site to site have problem with permit ip ?

Dear Rechard,

Couple of things

- Confirm is ACL-VPN is only used for VPN purpose, not applied on any interface

- to troubleshoot this problem, you can do following things

  - create a loopback interface with IP Address outside the IP range of VPN interesting traffic

  - troubleshoot hop by hop basis, first create loopback on HQ-Router and try to ping the loopback from branch. Then on HQ-Switch. this way you can pin point where the problem is.

Not able to really think about exact issue, so relying on some basic troubleshooting.

Regards

Rajat

New Member

Re: VPN site to site have problem with permit ip ?

Dear rajatsetia,

Thanks you for you advise.

At HQ Router for Wan interface i use 192.168.15.1

should i assign loop ip 192.168.15.200 right?

At Branch Router for Wan interface i use 192.168.15.2

Should i assign loop ip 192.168.15.201 right?

How about ASA do we need to add something on ASA?

Best Regards,

Rechard

Bronze

Re: VPN site to site have problem with permit ip ?

Hi,

I hope subnet of point to point link - 192.168.15.1/2 is /30. In this case you can use 192.168.15.200 as loopback on HQ router as 15.0 range is not part VPN traffic.

Also please confirm you have not applied any ACL on any of the interface (Branch, HQ Router, Switch, ASA). I hope ACL_VPN is only used for VPN purpose.

Regards.

350
Views
0
Helpful
13
Replies
This widget could not be displayed.