Re: Cannot reach LAN after P2P connection

Jonathan Nali · ‎11-05-2020

Hi everyone,

You'll have to forgive me.

My configs worked on my first router on the first branch but on my second branch router, things are not going as planned.

I can receive internet from my firewall at 10.10.1.1 to my branch LAN on 10.10.3.0/24 but I cannot reach the 10.10.1.0/24 from the branch network even though it's allowed on the firewall.

=====================================================================================

ip source-route
!
!
ip dhcp relay information option
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.3.253
ip dhcp excluded-address 10.10.3.252
ip dhcp excluded-address 10.10.3.1 10.10.3.50
!
ip dhcp pool KITWE-POOL
network 10.10.3.0 255.255.255.0
default-router 10.10.3.3
dns-server 10.10.1.4
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
!

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface FastEthernet0
switchport access vlan 10
!
!
interface FastEthernet1
switchport access vlan 10
!
!
interface FastEthernet2
switchport access vlan 10
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface FastEthernet4
switchport access vlan 10
!
!
interface FastEthernet5
switchport access vlan 10
!
!
!
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description Internet
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan10
ip address 10.10.3.3 255.255.255.0
ip helper-address 10.10.3.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
ip forward-protocol udp talk
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 111 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 0.0.0.0 0.0.0.0 FastEthernet8 192.168.124.1 2
ip route 10.10.1.0 255.255.255.0 192.168.124.2
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
!
access-list 111 permit ip 10.10.3.0 0.0.0.255 any
no cdp run

!

===============================================================================

Network Map attached

kubn2 · ‎11-05-2020

Hi,

Based on the config looks like you doesn't have a tunnel between locations. On both locations you use NAT so below statement is incorrect:

access-list 111 permit ip 10.10.3.0 0.0.0.255 any

Because when you are leaving 10.10.3.0 network your packets doesn't have a 10.10.3.0 ip address but they have NAT translated address so I guess 192.168.124.10 so this address should be allowed on firewall not your internal ip address.

Jonathan Nali · ‎11-05-2020

Hi @kubn2 ,

thank you for your quick response.

You are right about the NAT, I have actually allowed the entire 192.168.124.8/30 network. It should work but it's not.

Also when I say

->access-list 111 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

I fail to ping 10.10.1.1. So let me mention that I can reach 10.10.1.1 but not beyond that.

Georg Pauwen · ‎11-05-2020

Hello,

post the zipped Packet Tracer project (.pkt) file here...

Jonathan Nali · ‎11-05-2020

Hi @Georg Pauwen ,

The project is not in PT, I just used that picture to show what the network map looks like.

MHM Cisco World · ‎11-05-2020

R-ASA-R ? ASA is also router so
R-R-R need routing protocol

Jonathan Nali · ‎11-05-2020

Hi @MHM Cisco World ,

That is just supposed to represent my Sophos XG firewall.