12-31-2014 02:39 PM - edited 02-21-2020 08:00 PM
I am having an issue with my Site to Site IPsec VPN.
My problem is that I cannot access the 2.x and 3.x subnet from the remote site. I can, however, access the central site just fine. I have been pulling my hair out trying to figure this out. Please help.
Central site: Cisco 2811 (subnet 192.168.1.x). It's connected to second Cisco 2811 (subnet 192.168.2.x) via MU1. Central site is also connected to a 3rd Cisco router (Subnet 192.168.3.x) via FE0/0.
There are only routers, no ASAs or other type of firewalls.
Remote Site: D-Link DSR-250N (Subnet 192.168.14.x). Connected to Central site via IPsec Site to Site VPN.
Again, I can access the central site from the remote site just fine, but I cannot access the 2.x and 3.x subnet from the remote site.
The show run config (Minus the private entries) from the Central site router is below.
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key ***** address (Remote-site-Public-IP)
!
crypto ipsec transform-set tunnel-trans esp-des esp-md5-hmac
!
crypto map TUNNELVPN 1 ipsec-isakmp
set peer (Remote-site-Public-IP)
set transform-set tunnel-trans
match address ipsec-vondron-list
!
interface Multilink1
description Multilink Interface
ip address 192.168.104.1 255.255.255.252
ip flow ingress
ip flow egress
ip route-cache flow
ip policy route-map QoSMap
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/0
description LAN
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address Public IP Address
ip access-group ACL-WAN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map TUNNELVPN
!
interface Serial0/0/0:0
description T1 to Second 2811
no ip address
encapsulation ppp
ip policy route-map QoSMap
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
no ip address
encapsulation ppp
ip policy route-map QoSMap
shutdown
no cdp enable
!
interface Serial0/2/0:0
description to T1 Second 2811
no ip address
ip nat inside
ip virtual-reassembly
encapsulation ppp
ip policy route-map QoSMap
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/2/1:0
description T1 to Second 2811
no ip address
encapsulation ppp
ip policy route-map QoSMap
ppp multilink
ppp multilink group 1
!
router ospf 23
log-adjacency-changes
redistribute static
network 192.168.1.0 0.0.0.255 area 0
network 192.168.104.0 0.0.0.3 area 0
default-information originate
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Central_Site-Public-IP-address
!
no ip http server
ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.x Public-IP-address
!
ip access-list extended ACL-NAT
remark deny traffic that goes to VPN
deny ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
remark permit rest
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.104.0 0.0.0.3 any
ip access-list extended ACL-WAN
permit ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
remark DROP THE BASIC STUFF
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny udp any eq snmp any log
deny udp any eq snmptrap any log
deny udp any eq sunrpc any log
deny udp any eq syslog any log
deny udp any eq bootpc any log
deny tcp any range 135 142 any
permit icmp any any
permit tcp any any established
permit udp any eq domain any
permit udp any any eq domain
remark VONDRON VPN to Router
permit udp host (Remote-site-Public-IP) host (Central-site-IP) eq isakmp
permit esp host (Remote-site-Public-IP) host (Central-site-IP)
permit udp host (Central-site-IP) host (Remote-site-Public-IP) eq isakmp
permit esp host (Central-site-IP) (Remote-site-Public-IP)
ip access-list extended ipsec-vondron-list
permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
ip access-list extended nonat-list
permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.2.0 0.0.0.255
access-list 5 permit 192.168.3.0 0.0.0.255
access-list 5 permit 192.168.104.0 0.0.0.3
dialer-list 1 protocol ip permit
!
!
end
Central 2811#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is Central_Site-Public-IP-address to network 0.0.0.0
192.168.104.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.104.0/30 is directly connected, Multilink1
C 192.168.104.2/32 is directly connected, Multilink1
Central_Site-Public-IP-address/28 is subnetted, 1 subnets
C Central_Site-Public-IP-address is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
O 192.168.2.0/24 [110/22] via 192.168.104.2, 4d09h, Multilink1
O 192.168.3.0/24 [110/2] via 192.168.1.15, 1d07h, FastEthernet0/0
Central_Site-Public-IP-address/30 is subnetted, 1 subnets
C Central_Site-Public-IP-address is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via Central_Site-Public-IP-address
01-03-2015 06:40 PM
Hi mvang0001
The simple thumb rule for vpn is, what ever you need to access to remote party network and what ever remote party need to access in your network should be defined in the interesting traffic on the tunnel.
plus in order to reach to that network inside your company, you should have appropriate route in place on vpn device you are forming tunnel to the remote party.
please confirm that what networks you are not able to access is configured in both side vpn interesting traffic? - at your side, you can see config. but you have to get copy of this config. from remote party network/security admin.
please let us know that.
Thanks
JD...
01-04-2015 02:14 AM
You seem to have everything in place on the Cisco router but without seeing the remote end it is difficult to say where the mismatch is. I would go back through both configurations and make sure that phase 1 and phase2 on both sides match up.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide