cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1528
Views
5
Helpful
6
Replies

Cannot reach LAN after P2P connection

Jonathan Nali
Level 1
Level 1

Hi everyone,

You'll have to forgive me.

My configs worked on my first router on the first branch but on my second branch router, things are not going as planned.

I can receive internet from my firewall at 10.10.1.1 to my branch LAN on 10.10.3.0/24 but I cannot reach the 10.10.1.0/24 from the branch network even though it's allowed on the firewall.

=====================================================================================

ip source-route
!
!
ip dhcp relay information option
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.3.253
ip dhcp excluded-address 10.10.3.252
ip dhcp excluded-address 10.10.3.1 10.10.3.50
!
ip dhcp pool KITWE-POOL
network 10.10.3.0 255.255.255.0
default-router 10.10.3.3
dns-server 10.10.1.4
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
!

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface FastEthernet0
switchport access vlan 10
!
!
interface FastEthernet1
switchport access vlan 10
!
!
interface FastEthernet2
switchport access vlan 10
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface FastEthernet4
switchport access vlan 10
!
!
interface FastEthernet5
switchport access vlan 10
!
!
!
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description Internet
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan10
ip address 10.10.3.3 255.255.255.0
ip helper-address 10.10.3.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
ip forward-protocol udp talk
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 111 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 0.0.0.0 0.0.0.0 FastEthernet8 192.168.124.1 2
ip route 10.10.1.0 255.255.255.0 192.168.124.2
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
!
access-list 111 permit ip 10.10.3.0 0.0.0.255 any
no cdp run

!

===============================================================================

 

 

Network Map attached

 

6 Replies 6

kubn2
Level 1
Level 1

Hi,

Based on the config looks like you doesn't have a tunnel between locations. On both locations you use NAT so below statement is incorrect:

access-list 111 permit ip 10.10.3.0 0.0.0.255 any

Because when you are leaving 10.10.3.0 network your packets doesn't have a 10.10.3.0 ip address but they have NAT translated address so I guess 192.168.124.10 so this address should be allowed on firewall not your internal ip address.

Hi @kubn2 ,

 

thank you for your quick response.

You are right about the NAT, I have actually allowed the entire 192.168.124.8/30 network. It should work but it's not.

Also when I say 

->access-list 111 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

I fail to ping 10.10.1.1. So let me mention that I can reach 10.10.1.1 but not beyond that.

Hello,

 

post the zipped Packet Tracer project (.pkt) file here...

Hi @Georg Pauwen ,

 

The project is not in PT, I just used that picture to show what the network map looks like.

R-ASA-R ? ASA is also router so 
R-R-R need routing protocol

Hi @MHM Cisco World ,

That is just supposed to represent my Sophos XG firewall.