topic VPN -- Point to Point Connection Routing. in Network Security

VPN -- Point to Point Connection Routing.

Pratik Prajapati — Mon, 11 Mar 2019 21:54:03 GMT

The VPN is up and running between Site C and Site A. No problem there.

I can ping 10.2.24.1 from Site A P2P Router.

But I cannot ping from Site B P2P Router. The ping times out.

I have the following routes on 3 routers,

Site A P2P Router: ip route 10.2.24.0 255.255.255.0 172.16.5.3

Site B P2P Router: ip route 10.2.24.0 255.255.255.0 172.16.5.3

Site B Router Gateway: ip route 10.2.24.0 255.255.255.0 172.16.5.3

When i start a ping from 172.20.3.0/24 network, Site C see the ping coming from 172.20.3.0 network and sends out a reply. But I never get a reply and i get a request timed out.

My task is that i should be able to ping Site C from any machine at Site B

VPN -- Point to Point Connection Routing.

andrew.prince — Tue, 22 Nov 2011 14:50:25 GMT

Your next hops should be 1 away unless you are running a dynamic routing protocol.

Change:-

Site B P2P Router: ip route 10.2.24.0 255.255.255.0 172.16.5.3 change to

ip route 10.2.24.0 255.255.255.0 172.16.1.5

Site B Router Gateway: ip route 10.2.24.0 255.255.255.0 172.16.5.3 change to

ip route 10.2.24.0 255.255.255.0 172.20.3.2

And ensure the correct IP subnets are part of the interesting traffic acl and the no-nat acl.

HTH>

VPN -- Point to Point Connection Routing.

Pratik Prajapati — Tue, 22 Nov 2011 15:44:29 GMT

I changed the routes to what you suggested. but still its the same. The ping to Site C network times out if i do from a Site B machine.

Any other suggestion?

VPN -- Point to Point Connection Routing.

andrew.prince — Tue, 22 Nov 2011 15:48:49 GMT

Post the output from a traceroute from the Site B Machine. And check to make sure the site B IP subnet is on the list of interesting traffic for the VPN, and it is not be double natted.

VPN -- Point to Point Connection Routing.

Pratik Prajapati — Tue, 22 Nov 2011 16:15:14 GMT

I cannot do a traceroute becuase the guy who manages Site C has disabled tracerouting. When I ping Site C from Site B, Site C does see that the packet is coming from Site B and sends out a reply. But I receive a 'request timed out' on Site B. So it seems like the packet gets dropped between Site A P2P router and Site B P2P router.

VPN -- Point to Point Connection Routing.

andrew.prince — Tue, 22 Nov 2011 16:37:41 GMT

How is that possible - if someone else manages site C, how can you see site C respond? What firewalls terminate the VPN?

VPN -- Point to Point Connection Routing.

Pratik Prajapati — Tue, 22 Nov 2011 16:41:22 GMT

He said to me that he can see traffic coming from Site B. Both firewalls at Site A and Site C are Cisco ASAs

VPN -- Point to Point Connection Routing.

andrew.prince — Tue, 22 Nov 2011 16:44:43 GMT

Something does not sounds right.

Post the output from the command "show crypto ipsec sa" from both devices, and "show access-list" from both devcies

VPN -- Point to Point Connection Routing.

Pratik Prajapati — Tue, 22 Nov 2011 21:30:38 GMT

Andrew,

Found the issue. I was missing a route on Firewall Site A to send Site B traffic via the Core Switch at Site A. Core Switch does the routing. Adding that everything started working.

Thanks for your help!!!

Pratik

Re: VPN -- Point to Point Connection Routing.

andrew.prince — Tue, 22 Nov 2011 21:36:45 GMT

good news

Sent from Cisco Technical Support iPad App