Solved: Site-to-site VPN tunnel is up, but cannot ping PC-s on either en

Inneedofhelp · ‎03-28-2012

Hello,

I've 3 Cisco 800 series routers and I needed to configure site-to-site vpn tunnel from branch2 to the main office(branch 1 VPN was already configured and working). I've managed to get the tunnel up and everything seemed ok as sh cry isa sa,sh cry session and sh cry ipsec sa didn't seem to have any problems. Although the tunnel is up, I cannot ping PC-s on either side of the vpn tunnel. Does anyone have any idea what the problem can be?

I understand that there isn't enough information, but just ask me what you need and I'll send out more.

Thanks in advance.

Edison Ortiz · ‎03-29-2012

Your traffic from HQ to Remote is being NAT'd

ip access-list extended NAT

deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

You must have

ip access-list extended NAT

deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

View solution in original post

Edison Ortiz · ‎03-28-2012

Let's see the router configs from the branch and main office.

Can you ping from the branch router internal interface to the main office subnet?

Can you do the same in the opposite direction?

What's the result?

You need to execute an extended ping for that.

Inneedofhelp · ‎03-28-2012

Hello,

Thanks for your quick response,

I added the main office config and the branch2 config to attachment below. Also, i cannot ping form the branch router internal interface to the main office subnet and that goes both ways.

What do you mean by "You need to execute an extended ping for that." ?

Thank you.

cadet alain · ‎03-28-2012

Hi,

to test it from the Main router you have to do it like this:

ping 10.9.6.x source 10.9.8.x

that's what was meant by extended ping because you have to use interesting traffic(declared in your crypto ACL) otherwise

it won't even get encrypted and it will get natted so it won't work.

Regards.

Alain

Don't forget to rate helpful posts.

Inneedofhelp · ‎03-29-2012

Hi,

Thanks for the quick response,

I tried to ping from both routers, but no ping went through. Used to command 'ping 10.9.6.1 source 10.9.8.254' and vice-versa.

Edison Ortiz · ‎03-29-2012

Your traffic from HQ to Remote is being NAT'd

ip access-list extended NAT

deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

You must have

ip access-list extended NAT

deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

Inneedofhelp · ‎03-29-2012

Thanks for the response,

I wondered about that myself and went ahead with the changes.

Still can't get the ping through.

It now looks like:

ip access-list extended NAT

deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255

deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255

permit ip 10.9.8.0 0.0.0.255 any

Edison Ortiz · ‎03-29-2012

Looking at your config once again from the HQ router, you have ip nat inside|outside on the interfaces but you don't have a global ip nat command indicating what to translate, you should correct that.

Additionally, you've configured overlapping subnets.

interface GigabitEthernet0

ip address 194.200.30.10 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed 10

crypto map SDM_CMAP_1

!

interface Vlan2

description Guest

ip address 194.200.30.50 255.255.255.0

ip access-group GUEST-ACL in

ip access-group Guest-ACL-out out

ip nat inside

ip virtual-reassembly

Inneedofhelp · ‎03-29-2012

Thanks a bunch,

As I went to work today, everything was working. I Guess the yesterdays changes started to work after the restart of the tunnel.

Thanks !

Site-to-site VPN tunnel is up, but cannot ping PC-s on either end