05-03-2011 02:18 PM - edited 03-06-2019 04:53 PM
I have a problem I have two interface vlan 1 and vlan interface 2 lan 1
intended as an interface vlan can not ping and connect to interface vlan 2 and another to
interface Vlan1
ip address 20.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
Interface Vlan2
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip access-list extended ACL
deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
deny tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Any permit ip 10.10.10.0 0.0.0.255
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
05-04-2011 12:09 AM
Hi,
Where did you applied the "extended ACL"? because as per it the vlan 2 can not access vlan 1
And did you enable "ip routing" in global config mode?
please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.
05-04-2011 12:58 AM
I have this configured on the router, but can still ping interface from vlan 1 to vlan 2 interface and another to
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 20.20.20.1 20.20.20.20
!
ip dhcp pool R1.LAN
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease infinite
!
ip dhcp pool R1.CISCO_Private
import all
network 20.20.20.0 255.255.255.0
default-router 20.20.20.1
lease infinite
interface Vlan1
ip address 20.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
Interface Vlan2
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip access-list extended ACL
deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
deny tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Any permit ip 10.10.10.0 0.0.0.255
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
05-04-2011 01:08 AM
Hi,
So this is a router on a stik.
on which physical interface you have configured these vlans.
And make sure you have configure encapsulation (R1(config-subif)#encapsulation dot1q 20) on the all vlans.
It would be very helpfull to understand the issue where exactly if you post your complete router running config.
please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.
05-04-2011 01:16 AM
okay is the current running-config
Current configuration: 6550 bytes
!
! Last configuration change at 7:27:57 UTC Wed May in April 2011 by Tim
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 autonomous boot image
!
crypto pki trust point tp-self-signed-3945582034
enrollment selfsigned
subject-name cn = IOS-Self-Signed-Certificate-3945582034
revocation-check none
rsakeypair TP-self-signed-3945582034
!
!
crypto pki certificate chain TP-self-signed-3945582034
self-signed certificate 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 04050030 F70D0101
494F532D 53656C66 31312F30 2D060355 04031326 43657274 2D536967 6E65642D
69666963 6174652D 33393435 35383230 3334301E 170D3131 30343236 31333137
30345A17 0D323030 31303130 30303030 305A3031 06035504 03132649 312F302D
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343535
38323033 3430819F 818D0030 81890281 01050003 300D0609 2A864886 F70D0101
8100900D 6293E313 40744659 1E2A4047 E9844B53 240B241D 711B5B64 E75F2063
2D6CDE1B 52A3F448 BFEC9B67 16816048 85235244 04DBBD55 048CC4C4 DEDAA702
9954D740 D50B2ED8 3DF3F681 A5553D5B AEA90921 FB6C2757 C23B12D1 B8121A23
4B752336 A329E1A8 7E74AB8F 043D73AE D41FE2CA 1B3A238F 9071779C EF2B3A37
E2F70203 010001A3 0F060355 1D130101 FF040530 030101FF 30180603 6D306B30
551D1104 63757273 11300F82 6973742E 6265301F 0603551D 23041830 0D52322E
1680144A 5C914FA9 9D03D187 6DE957BE ED699CB0 46CB0530 1D060355 1D0E0416
04144A5C 914FA99D 03D1876D E957BEED 699CB046 CB05300D 06092A86 4886F70D
5E579320 01010405 00038181 0027B4A2 5B66B9E9 F280E047 3BDC4B0F AB852BFA
1C480D16 3C3E3A86 998EB525 56375C41 E92CA8DC D9EB2583 E685145D B536B4BD
7E1B3213 086CC86C FB20A91F 4A0A8A67 C5848F49 89BDF700 D6EA83FB 6533E802
6A0BA747 54476B9C 1060D035 DDA6C526 B6FED37E 0D1CB29F 7A8C4B11 46BAF5CD
706666CF 00E710A2 C9
quit
ip source-route
!
!
ip dhcp excluded-address 20.20.20.1 20.20.20.20
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
ip dhcp pool R2.LAN
import all
network 20.20.20.0 255.255.255.0
default-router 20.20.20.1
lease infinite
!
ip dhcp pool R2.CISCO_Private
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease infinite
!
!
ip cef
ip domain name cursist.be
ipv6 unicast-routing
ipv6 cef
!
!
!
!
archive
log config
logging enable
path flash: config-R2.standard.running
username user privilege 15 secret $ 5 $ 1 $ SQFs zojYx5GmAMV.1q33BwRxu0
username Cisco privilege 15 secret $ 5 $ 1 $ CdKz SOMtjCVR5AO6GW6Ug23Rq /
!
!
ip ssh rsa keypair-name ************
ip ssh version 2
ip scp server enable
!
!
crypto isakmp policy 10000
ENCR aes 256
authentication pre-share
Group 16
crypto isakmp key address Cisco123 ***************
!
!
crypto ipsec transform-set 10000 ah-sha-hmac esp-aes 256 esp-sha-hmac comp-LZS
!
crypto map ipsec-isakmp R2.CMAP 10000
set peer *****************
set transform-set 10000
set pfs group16
match address VPN
qos pre-classify
!
!
!
!
!
interface BRI0
no ip address
encapsulation HDLc
shutdown
ISDN termination multidrop
!
!
interface FastEthernet0
!
!
Interface FastEthernet1
!
!
Interface FastEthernet2
!
!
Interface FastEthernet3
!
!
Interface FastEthernet4
!
!
Interface FastEthernet5
!
!
Interface FastEthernet6
!
!
Interface FastEthernet7
!
!
Interface FastEthernet8
description WAN
ip address dhcp client-id FastEthernet8
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description WAN
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map R2.CMAP
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
Unnumbered Vlan1 ip
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switch port mode trunk
!
!
interface Vlan1
ip address 20.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
Interface Vlan2
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list acl interface GigabitEthernet0 overload
ip nat inside source static tcp 10.10.10.1 22 interface GigabitEthernet0 4000
ip nat inside source static tcp 20.20.20.1 22 interface GigabitEthernet0 5000
!
ip access-list extended ACL
deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
deny tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Any permit ip 10.10.10.0 0.0.0.255
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
no cdp run
!
!
!
!
!
!
control-plane
!
!
^ C
!
line con 0
Line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin ssh udptn
line aux 0
line vty 0 4
privilege level 15
password *********
transport input telnet ssh
line vty May 1915
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
05-04-2011 02:09 AM
okay that's good but can I be able to ping the VPN to another router to let you know how you
05-04-2011 01:23 AM
Hi Guys,
I'm afriad that you didn't apply the ACL on the interface. Are you using ethernet switch module on the router? Please tell us a bit more detail.
If users in VLAN1 are not allowed to ping Interface-VLAN1 and Interface VLAN2 , you should do as follows:
!
ip access-list extended VLAN1-NO-PING-GW
deny icmp 20.20.20.0 0.0.0.255 host 20.20.20.1
deny icmp 20.20.20.0 0.0.0.255 host 10.10.10.1
permit ip any any
!
interface vlan 1
ip access-group VLAN1-NO-PING-GW in
!
If users in VLAN2 are not allowed to ping Interface-VLAN2 and Interface VLAN1 , you should do as follows:
!
ip access-list extended VLAN2-NO-PING-GW
deny icmp 10.10.10.0 0.0.0.255 host 10.10.10.1
deny icmp 10.10.10.0 0.0.0.255 host 20.20.20.1
permit ip any any
!
interface vlan 2
ip access-group VLAN2-NO-PING-GW in
!
Hope I understood what you wanted. (grin)
Toshi
05-04-2011 02:10 AM
okay that's good but can I be able to ping the VPN to another router to let you know how you
05-04-2011 02:25 AM
Hi,
First off, you need to provide us the remote network that you want to ping from your site. Your interesting traffic for site-to-site VPN is wrong.
!
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
It shoudn't be like you defined above. It might be something as follows:
Note: xxxx is a remote site network.
!
ip access-list extended VPN-To-RemoteNetwork
permit ip 10.10.10.0 0.0.0.255 xxxx yyyy
permit ip 20.20.20.0 0.0.0.255 xxxx yyyy
!
crypto map ipsec-isakmp R2.CMAP 10000
match address VPN-To-RemoteNetwork
!
You should deny VPN traffic on NAT overload statement as well.
!
ip access-list extended NAT-DENY-RemoteVPN
deny ip 10.10.10.0 0.0.0.255 xxxx yyyy
deny ip 20.20.20.0 0.0.0.255 xxxx yyyy
permit ip 10.10.10.0 0.0.0.255 any
permit ip 20.20.20.0 0.0.0.255 any
!
ip nat inside source list NAT-DENY-RemoteVPN interface GigabitEthernet0 overload
Please let us know how things work out.
HTH,
Toshi
05-04-2011 02:32 AM
I can not help me because that's how she was hoping for my vpn so that their running-config
but continues to ping internally blocked
05-04-2011 02:37 AM
Hi,
Keep in mind, site-to-site VPN needs to agree upon the policies on both sites. Time to read this document.
Ref : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
Good Luck
Toshi
05-04-2011 02:46 AM
I have my VPN fine but it's the same IP address
Router 1
vlan 1 ip address 10.10.10.1
vlan 2 ip address 20.20.20.1
Router 2
vlan 1 ip address 20.20.20.1
vlan 2 ip address 10.10.10.1
05-04-2011 02:57 AM
Hi,
I'm a bit surprised if your vpn is working with opverlapping networks on both sites with the exising configuration. I would design different networks for each site to do site-to-site VPN. If you want to do this the new configuration will have a long length of NAT statement and you're not gonna like it for sure.(grin)
HTH,
Toshi
05-04-2011 03:02 AM
No work not only
interface vlan 2 if I removed on both routers
how can you have 4 subnets and VPN
05-04-2011 03:10 AM
Hi,
If I were you I would do as simple as I can.
SiteA : I would use 10.1.x.y network.
Let's say 10.1.1.0/24 for VLAN1 and 10.1.2.0/24 for VLAN2
SiteB : I would use 10.2.x.y network.
Let's say 10.2.1.0/24 for VLAN1 and 10.2.2.0/24 for VLAN2
You can now do ACL policies and site-to-site VPN without any problem. I hope (grin)
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide