Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
4
Replies

1841 VPN Tunnel, cannot access remote lan from router

Andrew Norman
Level 1
Level 1

‎12-16-2010 02:14 AM - edited ‎03-04-2019 10:48 AM

I can ping across the tunnel from the pc's on either end of the tunnel, but I can't ping across the tunnel from the routers. If i ping using the source command using the LAN interface, the ping is successfull.

The reason i need this is for the remote router to be able to lookup the head office server for dns wins and ldap.

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎12-16-2010 03:03 AM

Hi,

I think this is normal behaviour because if your crypto map is for LAN to LAN and so when pinging from outside interface of router:

1) you don't match crypto map so traffic doesn't go in IPSec tunnel

2) the destination is a private address so unroutable.

So to do this on your LAN router where server resides you must do static PAT  eg ip nat inside static tcp x.x.x.x 80 y.y.y.y  80

and ping this natted address.

Can you post sh ip nat trans for server side router as well as sh crypto map and sh access-list on your router where you are pinging from.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Andrew Norman
Level 1
Level 1
In response to cadet alain

‎12-16-2010 03:16 AM

Hi Alain

Thanks for your reply.

I understand what you are saying but i cant get access to the server side router as it is hosted by Telstra and is inside our "cloud"

I just interests me that i can ping the router using "pi 172.10.10.9 source fa0/1" where 172xx is the head office server and fa0/1 is the lan ip of my router.

I tried to add "ip route 172.10.10.9 255.255.255.255 fa0/1", i suppose it in my mind it would work but it doesn’t

Cheers

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Andrew Norman

‎12-16-2010 03:40 AM

Hi,

pi 172.10.10.9 source fa0/1

for this traffic to use tunnel your crypto ACL must permit traffic from f0/1 subnet to 172.10.10.9 and there must be a mirrored crypto ACL on the other peer router.

Can you post sh crypto map and sh access-list.

I tried to add "ip route 172.10.10.9 255.255.255.255 fa0/1", i suppose it in my mind it would work but it doesn’t

It won't work for sure as 172.10.10.9 is not on f0/1 side

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to cadet alain

‎12-16-2010 03:50 AM

Hi Andrew,

Please check the access-list which you applied under the vpn tunnel.

In the access-list you should permit your router network / host to access remote server (172.10.10.9)

Assume your router in the network is 192.168.2.0 then the access-list would be.....

permit 192.168.2.0 0.0.0.255 172.10.109

Then you should be able to ping the remote vpn tunnel lan server.

Regards,

Naidu.

0 Helpful
Customers Also Viewed These Support Documents