03-28-2012 12:34 PM - edited 03-04-2019 03:50 PM
Hello,
I've 3 Cisco 800 series routers and I needed to configure site-to-site vpn tunnel from branch2 to the main office(branch 1 VPN was already configured and working). I've managed to get the tunnel up and everything seemed ok as sh cry isa sa,sh cry session and sh cry ipsec sa didn't seem to have any problems. Although the tunnel is up, I cannot ping PC-s on either side of the vpn tunnel. Does anyone have any idea what the problem can be?
I understand that there isn't enough information, but just ask me what you need and I'll send out more.
Thanks in advance.
Solved! Go to Solution.
03-29-2012 08:44 AM
Your traffic from HQ to Remote is being NAT'd
ip access-list extended NAT
deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
You must have
ip access-list extended NAT
deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
03-28-2012 12:50 PM
Let's see the router configs from the branch and main office.
Can you ping from the branch router internal interface to the main office subnet?
Can you do the same in the opposite direction?
What's the result?
You need to execute an extended ping for that.
03-28-2012 02:13 PM
Hello,
Thanks for your quick response,
I added the main office config and the branch2 config to attachment below. Also, i cannot ping form the branch router internal interface to the main office subnet and that goes both ways.
What do you mean by "You need to execute an extended ping for that." ?
Thank you.
03-28-2012 11:10 PM
Hi,
to test it from the Main router you have to do it like this:
ping 10.9.6.x source 10.9.8.x
that's what was meant by extended ping because you have to use interesting traffic(declared in your crypto ACL) otherwise
it won't even get encrypted and it will get natted so it won't work.
Regards.
Alain
03-29-2012 02:42 AM
Hi,
Thanks for the quick response,
I tried to ping from both routers, but no ping went through. Used to command 'ping 10.9.6.1 source 10.9.8.254' and vice-versa.
03-29-2012 08:44 AM
Your traffic from HQ to Remote is being NAT'd
ip access-list extended NAT
deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
You must have
ip access-list extended NAT
deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
03-29-2012 12:15 PM
Thanks for the response,
I wondered about that myself and went ahead with the changes.
Still can't get the ping through.
It now looks like:
ip access-list extended NAT
deny ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
03-29-2012 02:47 PM
Looking at your config once again from the HQ router, you have ip nat inside|outside on the interfaces but you don't have a global ip nat command indicating what to translate, you should correct that.
Additionally, you've configured overlapping subnets.
interface GigabitEthernet0
ip address 194.200.30.10 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map SDM_CMAP_1
!
interface Vlan2
description Guest
ip address 194.200.30.50 255.255.255.0
ip access-group GUEST-ACL in
ip access-group Guest-ACL-out out
ip nat inside
ip virtual-reassembly
03-29-2012 11:37 PM
Thanks a bunch,
As I went to work today, everything was working. I Guess the yesterdays changes started to work after the restart of the tunnel.
Thanks !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide