Trouble in Configuring site to site VPN with multiple subnets

cenzatech · ‎12-06-2012

Hi,

We have configured CPN in our Cisco 2911 router. I have 4 VLAN in my network. I sucessfully created the tunnels. From 1 VLAN I can able to access the resouces through VPN and not from other VLAN. Below is the configuration of my router. Any one suugest how to configure this.

crypto logging ezvpn

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXX address XXXXXXXX no-xauth

crypto isakmp keepalive 3600 periodic

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set Default esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toXXXXXXXXX

set peer XXXXXXXXXXXX

set transform-set Default

match address 101

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$

ip address 192.168.8.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip policy route-map Loadbalance

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address XXXXXXXXXX 255.255.255.252

ip mask-reply

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex full

speed 100

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/2

description $FW_OUTSIDE$$ETH-WAN$

ip address XXXXXXXXXX 255.255.255.252

ip mask-reply

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no mop enabled

crypto ipsec df-bit clear

!

interface FastEthernet0/0/0

description TATA WAN IP

ip address XXXXXXXXXXX 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 200

sort-by bytes

cache-timeout 300

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 XXXXXXXXX

ip route 0.0.0.0 0.0.0.0 XXXXXXXXXX

ip route 192.168.2.0 255.255.255.0 192.168.8.200

ip route 192.168.3.0 255.255.255.0 192.168.8.200

ip route 192.168.4.0 255.255.255.0 192.168.8.200

ip route 192.168.5.0 255.255.255.0 192.168.8.200

ip route 192.168.6.0 255.255.255.0 192.168.8.200

ip route 192.168.7.0 255.255.255.0 192.168.8.200

ip route 192.168.8.0 255.255.255.0 192.168.8.200

ip route 192.168.9.0 255.255.255.0 192.168.8.200

!

ip access-list extended nat

remark CCP_ACL Category=18

remark IPSec Rule

deny tcp 192.168.0.0 0.0.255.255 XXXXXXXXXX0.0.0.255 log

deny ip host 192.168.4.2 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.7.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

permit ip 192.168.9.0 0.0.0.255 any

permit ip object-group WC&AIT any

permit ip host 192.168.6.24 any

permit ip 192.168.5.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

deny ip any any

ip access-list extended nat1

remark CCP_ACL Category=18

remark IPSec Rule

deny tcp 192.168.0.0 0.0.255.255 XXXXXXXX 0.0.0.255 log

permit ip object-group AIT any

permit ip host 192.168.4.2 any

permit ip object-group ALC any

deny ip any any

!

ip sla 1

icmp-echo XXXXXXXXX source-interface GigabitEthernet0/1

frequency 5000

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo XXXXXXXXXX source-interface GigabitEthernet0/2

frequency 5000

ip sla schedule 2 life forever start-time now

logging 192.168.4.4

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit tcp 192.168.0.0 0.0.255.255 XXXXXXXXX 0.0.0.255 log

!

no cdp run

Richard Burts · ‎12-06-2012

Your post says that you have 4 vlans and I see 4 interfaces and 4 subnets (but not defined as vlans).

Your crypto configuration uses an access list to identify traffic for VPN and the access list selects packets with source address of 192.168.n.n. there is only one interface that matches this.

HTH
Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

cenzatech · ‎12-06-2012

Yes. I hae 4 different subnets. My network diagram is as below.

System - L3 switch - Firewall (Configure in L2 bridge mode) - Router - internet.

I configure 192.168.0.0/16 in the access list. That means any traffic from 192.168.0.1 to 192.168.255.255 should match the access list. My subents are within 192.168.0.0/16. So, all the traffic from my subnet should allowed to that VPN. But this is not happening.

mfurnival · ‎12-07-2012

Hi,

Your configuration references several route-maps which are not present - notably in the NAT statements. Is this deliberate? NAT will take place before encryption.