05-09-2018 01:54 PM - edited 03-05-2019 10:25 AM
I have a site to site IPSEC VPN setup. The tunnel is up.
I can ping the other side from the router by doing ping 172.16.175.5 source 192.168.9.1 also works from 192.168.10.1
That command comes back with a success.. The problem is though that I can't ping the remote LAN from any of the client computers connected to the router. It just times out.
The gateway on the clients is the routers inside IP 192.168.10.1
I am able to connect to the internet and ping the local LAN from all the clients.
Here's my config. (IP's are masked for security reasons)
Current configuration : 3019 bytes
!
! Last configuration change at 20:57:58 UTC Wed May 9 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CP-RT-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 u/DpzaRng4tz3KhoLiS9QFFXLoQBXqKuI55fQ0lSEaQ
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
ip cef
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool dpool10
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.40 192.168.10.41
!
ip dhcp pool dpool9
import all
network 192.168.9.0 255.255.255.0
default-router 192.168.9.1
dns-server 8.8.8.8 8.8.4.4
!
!
no ip domain lookup
ip domain name xxxxxxxxxxx.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3825 sn FTX1325AHNF
archive
log config
hidekeys
!
redundancy
!
!
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key xxxxxxxx address a.b.c.d no-xauth
!
!
crypto ipsec transform-set aesset esp-aes esp-sha-hmac
!
crypto map aesmap 100 ipsec-isakmp
set peer a.b.c.d
set transform-set aesset
set pfs group14
match address acl_vpn
!
!
!
!
!
!
interface GigabitEthernet0/0
description LAN DATA
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.9
description LAN VOICE
encapsulation dot1Q 9
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description WAN
ip address a.b.c.e 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
crypto map aesmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list acl_nat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.f
ip route 172.16.175.0 255.255.255.0 GigabitEthernet0/1
ip route 172.16.250.0 255.255.255.0 GigabitEthernet0/1
!
ip access-list extended acl_nat
deny ip 192.168.10.0 0.0.0.255 172.16.175.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 172.16.175.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 172.16.250.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 172.16.250.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.10.0 0.0.0.255 172.16.175.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 172.16.175.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 172.16.250.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 172.16.250.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxssxxx
login
transport input telnet ssh
line vty 5 924
password xxxxxxx
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
05-10-2018 04:24 AM
No one knows? Would really appreciate some help.
05-10-2018 05:10 AM
05-10-2018 05:09 AM
I figured it out.
I had 2 IP routes sending VPN traffic over the outside interface.
All is working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide