Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
5
Helpful
7
Replies

VPN tunnel no route to remote networks

Go to solution
GeirF
Level 1
Level 1

‎10-25-2022 02:20 AM - last edited on ‎10-27-2022 10:21 PM by Community Manager

Hi

I have stumbled into some routing problems on our ISR2900.

We use this 2900 to run all our ipsec tunnels.

Yesterday we configured a new tunnel to a external company. 

client -> tunnel -> 2900 -> 2900-inside -> Cisco ASA -> ping local networks = OK

client -> tunnel ->  2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK

I see the return trafikk comes back to the 2900-outside from Palo Alto. I did a packet capture on the 2900-outside to confirm this.

When i ping the client from a DMZ host (terminated on the Palo Alto) i get the "Destination net unreachable"

When i ping from the local networks i get the ping respons from the client.

Why is the traffic entering 2900-inside routed into the tunnel from the local networks and not from the Palo Alto via 2900-outside ?

Regards,

Geir

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GeirF
Level 1
Level 1

‎10-26-2022 05:11 AM

Hi

I went over the config and prepared it for posting here. 

When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,

I saw that the client ip range was missing. Added the missing ip range and i got it all working.

Thanks for helping me out.

Regards,
Geir

 

 

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-25-2022 08:16 AM

if you disable the newly configured tunnel, is that works expected?

we also need some diagrams the one mentioned, config also some route output.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-25-2022 08:30 AM

can you draw topology ?

0 Helpful

Go to solution
GeirF
Level 1
Level 1

‎10-26-2022 12:05 AM

Hi

The topology:

cisco-community-vpn.JPG

Regards,
Geir

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to GeirF

‎10-26-2022 12:23 AM - last edited on ‎10-27-2022 10:23 PM by Community Manager

Hello,

post the full running configuration

(sh run)

of the 2900 router.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to GeirF

‎10-26-2022 04:43 AM - last edited on ‎10-27-2022 10:24 PM by Community Manager 

client -> tunnel ->  2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK

 

here you need to make subnet of client NAT (overload) in Palo FW to make it reach internet, remember the internet know only OUT of Palo IP not know the IP of client 

0 Helpful

Go to solution
GeirF
Level 1
Level 1

‎10-26-2022 05:11 AM

Hi

I went over the config and prepared it for posting here. 

When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,

I saw that the client ip range was missing. Added the missing ip range and i got it all working.

Thanks for helping me out.

Regards,
Geir

 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to GeirF

‎10-26-2022 05:21 AM

glad your issue is solved 
good job friend

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card