Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
10
Helpful
4
Replies

Site To Site VPN - cant access internal LAN

AdiMahluf
Level 1
Level 1

‎10-28-2018 01:57 PM - edited ‎03-05-2019 11:00 AM

Hello friends,

Recently i configured Site to Site IPSEC VPN between my ISR4331 router on the main office and a Fortigate unit on one of our branches.
The connection looks fine, but the only problem i'm facing with is to access both internal LAN, while ping to the D.G is working just fine.
When inspecting the configuration on the Cisco side, i discovered a few configurations that relate to the problem:

1. ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/0/1 overload

2. route-map WAN2-NAT permit 10
match ip address EXIT-WAN2

3. ip access-list extended EXIT-WAN2
permit ip host 10.10.10.32 any
permit ip host 10.10.10.50 any

When removing the route map, pings from both sides can reach other's side internal LAN, but some of the ip addresses cant exit from WAN2 anymore. since i need those specific ip addresses to exit from WAN2 and not WAN1 on other physical port, i cant remove it.

Any suggestions for configurations change?

Thank you in advance

Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎10-28-2018 03:22 PM - edited ‎10-28-2018 03:23 PM

I am assuming you want the traffic across the IPSEC tunnel NOT to be natted.

 

so

 

 

above your rule:

 

ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/0/1 overload

 

put a more specific rule that does a no-nat, ie. source and destination remain original and not natted, stick this rule above your overload rule and it should get preference.

 

 

Please remember to rate useful posts, by clicking on the stars below.

Francesco Molino
VIP Alumni
VIP Alumni

‎10-28-2018 08:41 PM

Hi

You can add at the first position of your acl a line that will do:
Deny ip subnet-lan subnet-remote-lan


In this acl, you just have 2 IPs, which means the others should be able to ping remote LAN. Have you tried?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AdiMahluf
Level 1
Level 1
In response to Francesco Molino

‎10-29-2018 01:11 AM

Thank you for your reply Francesco!

Your suggestion did worked for me.

Maybe its because i'm not specialist on this section of Cisco, but i left with wondering - if i deny local subnet from remote subnet, how come the connection now works? it should deny and not allow, is it?

Thank you again

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to AdiMahluf

‎11-01-2018 06:54 PM

When you have a nat access-list, by allowing you will ask the router to actually nat the traffic hitting this ace. If you deny, you will say to not nat this traffic.
Over this nat interface, some traffic need to be natted and some not, that's why you put at the beginning all deny and then allow statements.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card