Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11390
Views
0
Helpful
9
Replies

Static Route through VPN

Go to solution
jsharkey_elgincounty
Level 1
Level 1

‎11-02-2015 06:16 AM - edited ‎03-08-2019 02:32 AM

I can't seem to get a static route configured through a VPN.  I need to allow a remote site to communicate with a WLC that is across a VPN link and behind a router.  I can ping from a workstation at the branch office to the router in question but not to the subnet behind the router. 

2 people had this problem
Labels:
Preview file
109 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to jsharkey_elgincounty

‎11-02-2015 06:43 AM

The line 

ip nat source list natlist interface FastEthernet4 overload

is not needed. The rest of NAT (and NAT-exemption) looks fine.

Is ACL 100 used in your crypto-map SDM_CMAP_1? Then ist should be fine. Make sure you have a corresponding config also on the HQ. There the crypto-map and NAT-exemption need everyting in the reverse direction.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎11-02-2015 06:28 AM

What kind of VPN are you running on the routers?

If you are using VTIs (Tunnel-Interfaces):

The Branch-router needs a route to 192.168.1.0/24 through the tunnel-interface. The HQ-Router needs a route to 192.168.1.0/24 with a next-hop of 192.168.127.2

If you are using crypto-maps for your VPNs:

The crypto-ACL has to include the traffic between 192,168,128,112/28 and 192.168.1.0/24.

0 Helpful

Go to solution
jsharkey_elgincounty
Level 1
Level 1
In response to Karsten Iwen

‎11-02-2015 06:35 AM

I've added some of the config from the branch office router.  Let me know if more is required.

interface FastEthernet4
 description Rogers - Cable Modem Internet Access
 ip address dhcp
 ip flow ingress
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1

!
interface Vlan1
 description Local VLANS
 ip address 192.168.128.113 255.255.255.240
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!

ip nat source list natlist interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 192.168.127.0 255.255.255.0 dhcp
ip route 192.168.1.0 255.255.255.0 dhcp
!
ip access-list extended natlist
 permit ip 192.168.128.112 0.0.0.15 any
 deny   ip any any
!
!
route-map nonat permit 10
 match ip address 110
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.128.112 0.0.0.15 192.168.127.0 0.0.0.255
access-list 100 permit ip 192.168.128.112 0.0.0.15 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.128.112 0.0.0.15 192.168.127.0 0.0.0.255
access-list 110 deny   ip 192.168.128.112 0.0.0.15 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.128.112 0.0.0.15 any
!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jsharkey_elgincounty

‎11-02-2015 06:43 AM

The line 

ip nat source list natlist interface FastEthernet4 overload

is not needed. The rest of NAT (and NAT-exemption) looks fine.

Is ACL 100 used in your crypto-map SDM_CMAP_1? Then ist should be fine. Make sure you have a corresponding config also on the HQ. There the crypto-map and NAT-exemption need everyting in the reverse direction.

0 Helpful

Go to solution
jsharkey_elgincounty
Level 1
Level 1
In response to Karsten Iwen

‎11-02-2015 07:00 AM

yes ACL 100 is used for crypto-map

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key My$illyPW address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to HQ
 set peer x.x.x.x
 set transform-set ESP-3DES-SHA
 match address 100

!

Don't I need the "ip nat source list natlist..." in order to allow internet traffic?  When I originally configured the router I couldn't ping to the internet without the IP NAT command and ACL.

I'm going to look at the config of the HQ ASA to see if it is setup to allow the traffic through.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jsharkey_elgincounty

‎11-02-2015 07:06 AM

Don't I need the "ip nat source list natlist..." in order to allow internet traffic? When I originally configured the router I couldn't ping to the internet without the IP NAT command and ACL.

there are two NAT-lines. The one that corresponds to your interface-config is the following:

ip nat inside source route-map nonat interface FastEthernet4 overload

This line is still needed. The other line "ip nat source" is for a different way of configuring NAT. The ACL "natlist" should also be unneeded.

0 Helpful

Go to solution
jsharkey_elgincounty
Level 1
Level 1
In response to Karsten Iwen

‎02-11-2016 06:47 AM

Just realized I never thanked you for your assistance.  "better late then never"...

THANKS!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jsharkey_elgincounty

‎02-11-2016 07:08 AM

No problem! Happy to help with your challenges! :-)

0 Helpful

Go to solution
jsharkey_elgincounty
Level 1
Level 1
In response to Karsten Iwen

‎11-02-2015 12:38 PM

The router with the WLC connected needed a static route to the branch office.

#ip route 192.168.128.112 255.255.255.240 192.168.127.1

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-02-2015 06:28 AM

Hello,

Are you using VPN client software on the workstation? Please share you configuration on the server.

0 Helpful
Customers Also Viewed These Support Documents