Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAN tunnel connection issue with Cisco 871 using 2 subnets

Good morning,

One of my remote sites is having a problem. I've been banging my head against the wall trying to get this working like it should. The site has an IP range of 192.200.1.0/24, it is tunnelled into the main office here. That connection is working fine. My boss wants to put in VoIP, which has equipment in the 192.100.0.0/24 range. The 192.200.1.0/24 subnet is tunnelled correctly so the data side is working as it should. The 192.100.0.0/24 subnet is working in terms of getting to the internet, but the voicemail system is located in the main office here since this remote site only has about six workers. I know a /24 is overkill for just six workers, but my philosophy is make it work first, then tighten it up as needed.

The 78.X.Y.Z address are the dedicated IP addresses from the ISP.

10.1.0.0 is for the network in the home office.

Anyways, here's the config of the 871, could you folks take a quick look and see if I'm just overlooking something incredibly simple?

Current configuration : 17333 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname boe
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$ZzkA$xlzrICnroBW4mSScsp.HV/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.200.1.1 192.200.1.250
!
ip dhcp pool elections
   import all
   network 192.200.1.0 255.255.255.0
   dns-server 78.1.18.237 78.105.28.11
   default-router 192.200.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name city.local
ip name-server 10.1.1.42
ip name-server 10.1.1.41
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
!
!
crypto pki trustpoint TP-self-signed-1022835706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1022835706
revocation-check none
rsakeypair TP-self-signed-1022835706
!
!
crypto pki certificate chain TP-self-signed-1022835706
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303232 38333537 3036301E 170D3039 30363134 32313236
  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30323238
  33353730 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A93B 8B2766D0 5568BBBC CE65D45F F1A6FC13 88375D97 61145986 7DE9A447
  B0E8D225 0B1B4046 C8EFED54 8C686282 B153DCA6 4425A5D6 45BA9D85 BC82D547
  CB18382A B4334DF0 32E93115 A5AB0D61 13D0BFD7 E106D8C0 058BA5FC 4A0C96FB
  F475053B 2F595D9D 3DA5A2D1 52C6EBF6 D3AFA7E8 9D7978CF 004B9A47 8F3A3D22
  DEBD0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14626F65 2E626962 62636F75 6E74792E 6C6F6361 6C301F06
  03551D23 04183016 8014141C 11B9D7D6 E05FE514 BF1B7A90 B73E424A D127301D
  0603551D 0E041604 14141C11 B9D7D6E0 5FE514BF 1B7A90B7 3E424AD1 27300D06
  092A8648 86F70D01 01040500 03818100 969F4FD0 B5FA2DB9 F46A9D5D 790ECD79
  130DCB75 7230B5D1 D404ED9F 13EB21FB 3D9350AB 4D5F8B38 2B62BF97 B208BDB3
  1578CFEB FB42A449 A9C53715 E7173B54 B78D5C8C C525733C EA0BBDB4 20018A76
  1C47DBE4 68EF62DD EFFE46B7 388BD4F5 99C32FF3 4830E040 821DBA7C A948A4D6
  89955456 4CC90BB6 5F626AAE DFF64B9B
  quit
username fflintstone privilege 15 secret 5 $1$eWnW$Hc5D30FZFI0c3jS6vj9Zl1
archive
log config
  hidekeys
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 109
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SSH
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-1
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all VPNicmp
match protocol icmp
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-1
match class-map sdm-mgmt-cls-1
match access-group 113
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-0
match class-map sdm-mgmt-cls-0
match access-group 107
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-2
match class-map sdm-mgmt-cls-1
match access-group 112
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  pass
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-mgmt-cls-sdm-permit-0
  inspect
class type inspect VPNicmp
  inspect
class type inspect sdm-mgmt-cls-sdm-permit-2
  inspect
class type inspect sdm-mgmt-cls-sdm-permit-1
  inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination

in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key b0E#1 address 79.109.200.5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to79.109.200.5
set peer 79.109.200.5
set transform-set ESP-3DES-SHA1
match address 110
!
!
!
!
interface FastEthernet0
description LocalNetwork
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description PhoneNet
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 79.101.51.74 255.255.255.192
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.200.1.1 255.255.255.0
ip access-group 108 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description PhoneNet
ip address 192.100.0.254 255.255.255.0
ip access-group 115 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 79.101.51.65
ip route 192.100.0.0 255.255.255.0 10.1.1.242 permanent
ip route 192.179.1.0 255.255.255.0 10.1.1.242 permanent
!
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark SDM_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark SDM_ACL Category=0
permit tcp any any eq telnet
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.200.1.0 0.0.0.255
access-list 1 permit 192.100.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.200.1.0 0.0.0.255
access-list 2 permit 192.100.0.0 0.0.0.255
access-list 3 permit 192.200.1.2
access-list 3 permit 79.109.200.36
access-list 3 permit 192.100.0.254
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 79.109.200.5
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.200.1.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 101 permit ip 192.100.0.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 79.109.200.5 any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.1.0.0 0.0.15.255 192.200.1.0 0.0.0.255
access-list 103 permit ip 192.100.0.0 0.0.15.255 192.100.0.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.200.1.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 104 permit ip 192.200.1.0 0.0.0.255 any
access-list 104 deny   ip 192.100.0.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 104 permit ip 192.100.0.0 0.0.0.255 any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp host 79.109.200.5 host 79.101.51.74 eq telnet
access-list 105 permit tcp host 79.109.200.36 host 79.101.51.74 eq telnet
access-list 105 permit tcp host 79.109.200.5 host 79.101.51.74 eq 22
access-list 105 permit tcp host 79.109.200.36 host 79.101.51.74 eq 22
access-list 105 permit tcp host 79.109.200.5 host 79.101.51.74 eq www
access-list 105 permit tcp host 79.109.200.36 host 79.101.51.74 eq www
access-list 105 permit tcp host 79.109.200.5 host 79.101.51.74 eq 443
access-list 105 permit tcp host 79.109.200.36 host 79.101.51.74 eq 443
access-list 105 permit tcp host 79.109.200.5 host 79.101.51.74 eq cmd
access-list 105 permit tcp host 79.109.200.36 host 79.101.51.74 eq cmd
access-list 105 deny   tcp any host 79.101.51.74 eq telnet
access-list 105 deny   tcp any host 79.101.51.74 eq 22
access-list 105 deny   tcp any host 79.101.51.74 eq www
access-list 105 deny   tcp any host 79.101.51.74 eq 443
access-list 105 deny   tcp any host 79.101.51.74 eq cmd
access-list 105 permit ahp host 79.109.200.5 host 79.101.51.74
access-list 105 permit esp host 79.109.200.5 host 79.101.51.74
access-list 105 permit udp host 79.109.200.5 host 79.101.51.74 eq isakmp
access-list 105 permit udp host 79.109.200.5 host 79.101.51.74 eq non500-

isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.1.0.0 0.0.15.255 192.200.1.0 0.0.0.255
access-list 105 permit ip any any
access-list 105 permit ip 10.1.0.0 0.0.15.255 192.100.0.0 0.0.0.255
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip host 79.109.200.5 any
access-list 106 permit ip host 79.109.200.36 any
access-list 106 permit ip host 192.200.1.2 any
access-list 106 permit ip host 192.100.0.254 any
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip host 79.109.200.5 host 79.109.200.43
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp host 192.200.1.2 host 192.200.1.1 eq telnet
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 permit tcp 192.200.1.0 0.0.0.255 host 192.200.1.1 eq telnet
access-list 108 permit tcp host 192.200.1.2 host 192.200.1.1 eq 22
access-list 108 permit tcp host 192.200.1.2 host 192.200.1.1 eq www
access-list 108 permit tcp 192.200.1.0 0.0.0.255 host 192.200.1.1 eq www
access-list 108 permit tcp host 192.200.1.2 host 192.200.1.1 eq 443
access-list 108 permit tcp 192.200.1.0 0.0.0.255 host 192.200.1.1 eq 443
access-list 108 permit tcp host 192.200.1.2 host 192.200.1.1 eq cmd
access-list 108 deny   tcp any host 192.200.1.1 eq telnet
access-list 108 deny   tcp any host 192.200.1.1 eq 22
access-list 108 deny   tcp any host 192.200.1.1 eq www
access-list 108 deny   tcp any host 192.200.1.1 eq 443
access-list 108 deny   tcp any host 192.200.1.1 eq cmd
access-list 108 deny   udp any host 192.200.1.1 eq snmp
access-list 108 permit icmp any any
access-list 108 permit ip any any
access-list 108 permit tcp 192.100.0.0 0.0.0.255 host 192.200.1.1 eq telnet
access-list 108 permit tcp 192.100.0.0 0.0.0.255 host 192.200.1.1 eq www
access-list 108 permit tcp 192.100.0.0 0.0.0.255 host 192.200.1.1 eq 443
access-list 108 permit tcp host 192.100.0.254 host 192.200.1.1 eq telnet
access-list 108 permit tcp host 192.100.0.254 host 192.200.1.1 eq 22
access-list 108 permit tcp host 192.100.0.254 host 192.200.1.1 eq www
access-list 108 permit tcp host 192.100.0.254 host 192.200.1.1 eq 443
access-list 108 permit tcp host 192.100.0.254 host 192.200.1.1 eq cmd
access-list 108 deny   tcp any host 192.100.0.254 eq telnet
access-list 108 deny   tcp any host 192.100.0.254 eq 22
access-list 108 deny   tcp any host 192.100.0.254 eq www
access-list 108 deny   tcp any host 192.100.0.254 eq 443
access-list 108 deny   tcp any host 192.100.0.254 eq cmd
access-list 108 deny   udp any host 192.100.0.254 eq snmp
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.1.0.0 0.0.15.255 192.200.1.0 0.0.0.255
access-list 109 permit ip 10.1.0.0 0.0.15.255 192.100.0.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.200.1.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 110 permit ip 192.100.0.0 0.0.0.255 10.1.0.0 0.0.15.255
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.1.0.0 0.0.15.255 192.200.1.0 0.0.0.255
access-list 111 permit ip 10.1.0.0 0.0.15.255 192.100.0.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip host 79.109.200.36 host 79.101.51.74
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit ip host 79.109.200.5 host 79.101.51.74
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device

and
it provides the default username "cisco" for  one-time use. If you have

already
used the username "cisco" to login to the router and your IOS image

supports the
"one-time" user option, then this username has already expired. You will

not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege

level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want

to
use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 106 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Everyone's tags (5)
1 REPLY
Hall of Fame Super Silver

WAN tunnel connection issue with Cisco 871 using 2 subnets

I have looked through the config that you posted. I do note one issue in that you have network 192.100.0.0/24 as a local network on vlan 2. But you also have a static route that indicates that 192.100.0.0 is a network at the main site. I suggest that you should remove that static route.

Your post is pretty clear that the tunneling for data traffic is working ok. And the config seems to be set up ok for tunneling the voice traffic. So my question is whether the main site also has the correct configuration to tunnel the traffic for 192.100.0.0 in addition to 192.200.0.0.

HTH

Rick

466
Views
0
Helpful
1
Replies
CreatePlease login to create content