Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
0
Helpful
2
Replies

Can't access other subnets-Site to Site IPSec VPN Cisco 2811 and D-Link DSR-250N

mvang0001
Level 1
Level 1

‎12-31-2014 02:39 PM - edited ‎02-21-2020 08:00 PM

I am having an issue with my Site to Site IPsec VPN.
My problem is that I cannot access the 2.x and 3.x subnet from the remote site. I can, however, access the central site just fine.  I have been pulling my hair out trying to figure this out. Please help.

Central site: Cisco 2811 (subnet 192.168.1.x). It's connected to second Cisco 2811 (subnet 192.168.2.x) via MU1. Central site is also connected to a 3rd Cisco router (Subnet 192.168.3.x) via FE0/0.
There are only routers, no ASAs or other type of firewalls.

Remote Site: D-Link DSR-250N (Subnet 192.168.14.x). Connected to Central site via IPsec Site to Site VPN.
Again, I can access the central site from the remote site just fine, but I cannot access the 2.x and 3.x subnet from the remote site.

The show run config (Minus the private entries) from the Central site router is below.

crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 4
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address (Remote-site-Public-IP)
!
crypto ipsec transform-set tunnel-trans esp-des esp-md5-hmac
!
crypto map TUNNELVPN 1 ipsec-isakmp
 set peer (Remote-site-Public-IP)
 set transform-set tunnel-trans
 match address ipsec-vondron-list
!
interface Multilink1
 description Multilink Interface
 ip address 192.168.104.1 255.255.255.252
 ip flow ingress
 ip flow egress
 ip route-cache flow
 ip policy route-map QoSMap
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address Public IP Address
 ip access-group ACL-WAN in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map TUNNELVPN
!
interface Serial0/0/0:0
 description T1 to Second 2811
 no ip address
 encapsulation ppp
 ip policy route-map QoSMap
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/0/1:0
 no ip address
 encapsulation ppp
 ip policy route-map QoSMap
 shutdown
 no cdp enable
!
interface Serial0/2/0:0
 description to T1 Second 2811
 no ip address
 ip nat inside
 ip virtual-reassembly
 encapsulation ppp
 ip policy route-map QoSMap
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/1:0
 description T1 to Second 2811
 no ip address
 encapsulation ppp
 ip policy route-map QoSMap
 ppp multilink
 ppp multilink group 1
!
router ospf 23
 log-adjacency-changes
 redistribute static
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.104.0 0.0.0.3 area 0
 default-information originate
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Central_Site-Public-IP-address

!
no ip http server
ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.x Public-IP-address
!
ip access-list extended ACL-NAT
 remark deny traffic that goes to VPN
 deny   ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
 remark permit rest
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.3.0 0.0.0.255 any
 permit ip 192.168.104.0 0.0.0.3 any
ip access-list extended ACL-WAN
 permit ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
 remark DROP THE BASIC STUFF
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   udp any eq snmp any log
 deny   udp any eq snmptrap any log
 deny   udp any eq sunrpc any log
 deny   udp any eq syslog any log
 deny   udp any eq bootpc any log
 deny   tcp any range 135 142 any
 permit icmp any any
 permit tcp any any established
 permit udp any eq domain any
 permit udp any any eq domain
 remark VONDRON VPN to Router
 permit udp host (Remote-site-Public-IP) host (Central-site-IP) eq isakmp
 permit esp host (Remote-site-Public-IP) host (Central-site-IP)
 permit udp host (Central-site-IP) host (Remote-site-Public-IP) eq isakmp
 permit esp host (Central-site-IP) (Remote-site-Public-IP)
ip access-list extended ipsec-vondron-list
 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
ip access-list extended nonat-list
 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.2.0 0.0.0.255
access-list 5 permit 192.168.3.0 0.0.0.255
access-list 5 permit 192.168.104.0 0.0.0.3

dialer-list 1 protocol ip permit
!
!
end

 

Central 2811#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is Central_Site-Public-IP-address to network 0.0.0.0

     192.168.104.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.104.0/30 is directly connected, Multilink1
C       192.168.104.2/32 is directly connected, Multilink1
     Central_Site-Public-IP-address/28 is subnetted, 1 subnets
C       Central_Site-Public-IP-address is directly connected, FastEthernet0/1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
O    192.168.2.0/24 [110/22] via 192.168.104.2, 4d09h, Multilink1
O    192.168.3.0/24 [110/2] via 192.168.1.15, 1d07h, FastEthernet0/0
     Central_Site-Public-IP-address/30 is subnetted, 1 subnets
C       Central_Site-Public-IP-address is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via Central_Site-Public-IP-address

 

 

Labels:
0 Helpful
2 Replies 2

Jigar Dave
Level 3
Level 3

‎01-03-2015 06:40 PM

Hi mvang0001

The simple thumb rule for vpn is, what ever you need to access to remote party network and what ever remote party need to access in your network should be defined in the interesting traffic on the tunnel.

plus in order to reach to that network inside your company, you should have appropriate route in place on vpn device you are forming tunnel to the remote party.

please confirm that what networks you are not able to access is configured in both side vpn interesting traffic? - at your side, you can see config. but you have to get copy of this config. from remote party network/security admin.

please let us know that.

Thanks

JD...

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎01-04-2015 02:14 AM

You seem to have everything in place on the Cisco router but without seeing the remote end it is difficult to say where the mismatch is.  I would go back through both configurations and make sure that phase 1 and phase2 on both sides match up.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents