cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
879
Views
5
Helpful
7
Replies

VPN tunnel no route to remote networks

GeirF
Level 1
Level 1

Hi

I have stumbled into some routing problems on our ISR2900.

We use this 2900 to run all our ipsec tunnels.

Yesterday we configured a new tunnel to a external company. 

client -> tunnel -> 2900 -> 2900-inside -> Cisco ASA -> ping local networks = OK

client -> tunnel ->  2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK

I see the return trafikk comes back to the 2900-outside from Palo Alto. I did a packet capture on the 2900-outside to confirm this.

When i ping the client from a DMZ host (terminated on the Palo Alto) i get the "Destination net unreachable"

When i ping from the local networks i get the ping respons from the client.

Why is the traffic entering 2900-inside routed into the tunnel from the local networks and not from the Palo Alto via 2900-outside ?

Regards,

Geir

 

 

 

 

1 Accepted Solution

Accepted Solutions

GeirF
Level 1
Level 1

Hi

I went over the config and prepared it for posting here. 

When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,

I saw that the client ip range was missing. Added the missing ip range and i got it all working.

Thanks for helping me out.

Regards,
Geir

 

 

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

if you disable the newly configured tunnel, is that works expected?

we also need some diagrams the one mentioned, config also some route output.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

can you draw topology ?

GeirF
Level 1
Level 1

Hi

The topology:

cisco-community-vpn.JPG

Regards,
Geir

Hello,

post the full running configuration

(sh run)

of the 2900 router.

client -> tunnel ->  2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK

 

here you need to make subnet of client NAT (overload) in Palo FW to make it reach internet, remember the internet know only OUT of Palo IP not know the IP of client 

GeirF
Level 1
Level 1

Hi

I went over the config and prepared it for posting here. 

When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,

I saw that the client ip range was missing. Added the missing ip range and i got it all working.

Thanks for helping me out.

Regards,
Geir

 

 

glad your issue is solved 
good job friend

Review Cisco Networking for a $25 gift card