I am working with a VPN tunnel between a Cisco 1710 (branch) and Cisco 2610 (HQ). The tunnel is UP, however, the branch is unable to browse to a site using internal IP hosted at HQ. There are other branch connections with Cisco 1710 routers that use similar, but not exact, configurations. I have gone through line by line, but unable to identify the failure. I am prepared to paste both configurations if someone would care to review.
Is this an IPSEC tunnel?
if so , pls check the hitcounts on the acl relaying the traffic on either side to see traces of data & check if the ip's involved in the tunnel are denied from being involved in NAT.
Pls paste the configs, it will help to check further.
I apologize for the delayed response. I will paste the current configuration below. I would greatly appreciate any insight.
This is a branch that is connected to the Internet via cable with a dynamic (DHCP) assigned external IP address. There is a tunnel which is successfully established via dynamic map to the headquarters (HQ).
On the LAN Internet connectivity is good, however, they need to access a web (www) site on the internal LAN at HQ (Headquarters) which fails. The local subnet is 10.7.x.x amd tje remote subnet is 10.0.x.x and the internal site is 10.0.0.110.
Unfortuantely, ping isn't available, so I can't test that, but I a traceroute shows the first hop does NOT appear to be routing properly. I have included the configuration of the branch office and at the bottom a snippet of another branch that can connect to the 10.0.0.110 web site and an illustration of that routing, however, the difference is that that site has a static IP address (perhaps I have something routing wrong on the branch with the DHCP Internet access).
From the config sent out with respect to Bransch office, it appears that the trace is taking a fisrt hop :10.19.48.1. Can u pls do a sh ip route and find out which interface is next hop for this IP.This subnet is not available in the router config of this branch office router, hence I would be qurious to know the same.
Also try once after disabling nat statements from both the internal and external interfaces. Pls do send in trace run post removing the NAT statements.
Pls post these details.
by the way,
this is not correct.
ip route 0.0.0.0 0.0.0.0 Ethernet0
on broadcast media you should use ip-address instead of intreface (in this case Ethernet0)
I have detailed troubleshooting attached as a file. I did remove the ip route and Internet connectivity is good. Removing the NAT statements did not appear to have any effect (other than dropping Internet connectivity).
So, I guess it boils down to where is the first hop 10.19.48.1 coming from and how to get it to go through the correct gateway in order to get to the other side of the tunnel, because it appears that the first hop 10.19.48.1 is what is causing the problem.
As an additional measure, I also try to add a specific route for that network, but that did not have any effect either (so, I reverted that change).
Trexlertown(config)#ip route 10.19.0.0 255.255.0.0 207.xxx.xxx.1
Trexlertown#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 207.xxx.xxx.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.7.0.0/24 is directly connected, FastEthernet0
S 10.19.0.0/16 [1/0] via 207.xxx.xxx.1
C 207.xxx.xxx.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [254/0] via 207.xxx.xxx.1
could you try add an option
crypto dynamic-map dynmap 14
set transform-set cm-transformset-2
match address 120
and "sh crypto ipsec sa" on HQ
sh ip route
can you ping Branch router's inside interface ip address 10.7.0.1 from HQ router sourcing from its inside interface 10.0.0.201?
I strongly believe this is routing issue , probably on the HQ. Hence a reverse route issue. I also see Rip running.
So pls do a sh ip route on the HQ router fr the branch segment.
If it points correctly then, pls try pinging the branch interface. Also try finding out the 10.19.X.X segment on the HQ router which appears to be the fisrt hop on trace from branch router.
Also do a sh ip route fr 10.0.0.0 on the branch router and paste the out puts here.
what is output for
show crypto ipsec sa ?
do you see pkts encrypted on one side and decrypted on the other side. Then its a routing issue . Check the routing for the subnet on the side where packets are getting decrypted.
Pls remove the route for 10.19.48.0 that you have applied. Its is only complicating the issue. This is probably a hop somewhere on the HQ side.
Pls paste the outputs as I have requested.
One more thing is to create two loopbacks interfaces, one on the Branch with branch pool lan ip & other one on HQ router with HQ segment that is inaccesible. Both IPs should be /32 .
Then try pinging and tracing to those IP with source as loopbacks from both ends.
If the ping and trace reaches, we are more or less very near to the solution.