cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
0
Helpful
3
Replies

Remote VPN Issue

arthur.salmon
Level 1
Level 1

I am having an issue, I have 2 remote users connecting to our datacenter. Each remote user can access resources at the datacenter, though we would like to know how I can make it so that one remote user can connect to the other remote user through the datacenter.

Here is the config we are using:

CoreRouter#show run

Building configuration...

hostname CoreRouter

!

aaa new-model

!

aaa authentication login default local

aaa authorization network groupauthor local

!

aaa session-id common

ip source-route

!

multilink bundle-name authenticated

!

username <our user>

!

redundancy

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key KEY

dns 8.8.8.8

pool VPNippool

acl 101

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address <WAN Adddress>

ip nat outside

ip virtual-reassembly in

crypto map clientmap

!

interface FastEthernet0/1

no ip address

!

interface FastEthernet0/1.3

description VLAN-Inside-LAN

encapsulation dot1Q 3

ip address 10.0.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local pool VPNippool 192.168.1.0 192.168.1.10

ip forward-protocol nd

!

ip nat inside source static tcp 10.0.3.2 3389 interface FastEthernet0/0 3389

ip nat inside source list 102 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 <our datacenter>

!

access-list 101 permit ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny   ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 10.0.3.0 0.0.0.255 any

!

control-plane

!

line vty 0 4

transport input SSH

!

End

Essential our remote users are assigned a 192.168.1.x/24 address, which can ping our internal LAN address 10.0.3.x/24 but can’t ping other 192.168.1.x/24.

Just to make sure that on our remote host it was going back to the datacenter router, which tracert <other remote user> does return our WAN IP for the datacenter router wither the next hope timing out

Any help would be amazing

Thank you

IT Done Right
3 Replies 3

arthur.salmon
Level 1
Level 1

I forgot to add that from the remote user side I can ping the Datacenter and internal network, however, from the datacenter I cannot ping the remote users.

IT Done Right

IT Done Right

Disable the CEF on the router to punt the ping to the router's CPU, and try

please feed me back after doing that

I found the solution I modified the ACLs

access-list 101 permit ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny   ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 10.0.3.0 0.0.0.255 any

access-list 102 permit any any

ALC 101 was used in my crypto isakmp

ALC 102 was used in my NAT

This worked, thank you though, thank you for your help.

IT Done Right

IT Done Right
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: