04-23-2008 11:06 PM - edited 02-21-2020 01:59 AM
Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up
R1 Vlan1 is 10.10.10.0/24 network
R2 Vlan1 is 10.10.20.0/24 network
over IPSEC VPN Tunnel
I need to add a Vlan2 10.7.1.0/24 network on R1
and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.
I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?
Please help!
Thank you
Domenick
04-25-2008 02:55 AM
Domenick,
Can you supply the configs please? with sensitive information removed of course!
04-25-2008 06:33 AM
04-25-2008 06:47 AM
Do you only want the new VLAN's to talk to each other over the VPN or do you want VLAN 1 on both sites to be able to route also?
04-25-2008 08:53 AM
yes I need both vlan1 and vlan2 to route over the vpn.
04-26-2008 01:27 AM
I would add:-
R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Current:-
!
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
ADD to the above ACL the below:-
permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
!
Current:-
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ADD to the above ACL the below:-
access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255
R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Current:-
!
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
remark IPSec Rule
permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255
!
ADD to the above ACL the below:-
permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255
permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255
Current:-
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
ADD to the above ACL the below:-
access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
04-28-2008 12:28 PM
I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.
04-28-2008 02:13 PM
are the ACL's being hit? Provide output of "show access-list"
Can you see the IPSEC SA with the new ACL's in them? Provide output of "sh crypto ipsec sa"
04-28-2008 03:49 PM
04-29-2008 12:33 AM
The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.
The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.
Add "ip nat inside" to the vlan 2 interfaces on both sites.
04-29-2008 06:22 AM
i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?
i have attached the output of the show access-list command and the show crypto again
04-29-2008 06:52 AM
The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.
What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.
You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide