Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
2
Replies

Can't reach LAN through IPSec tunnel

Nils Storm
Level 1
Level 1

‎04-11-2015 09:04 PM - edited ‎02-21-2020 08:10 PM

Hi forums,

 

I have a problem with my IPSec VPN tunnel, I can't reach the devices which are "behind" the router from the VPN client. I use a Cisco ISR 1941 router and set it up for EasyVPN with an virtual-template. All the local clients that are directly connected to the router (e.g. the NAS-Box) are working fine, just the 3560 switches and PCs connected to the switches are unreachable. I want to route all the traffic from the VPN clients through the router, so I didn't use an ACL for split tunneling. For testing purposes I tried to run it with an split tunnel ACL but it didn't work either.

The IPSec tunnel it self works fine, it's just the routing. There are no logs about any dropped packed from the ZBF.

If any one has an idea, how to solve the problem, please let me know. Thanks.

 

Kind regards

Nils Storm

Labels:
Preview file
19 KB
Preview file
3 KB
Preview file
2 KB
Preview file
3 KB
0 Helpful
2 Replies 2

David Johan Castro Fernandez
Level 3
Level 3

‎04-12-2015 11:07 AM

Hi Nils,

 

On this case on the router you will need to check the following configuration:

 

+ NAT exemption of the networks placed behind the Switch:

 

  For example:

 

  access-list 101 extended deny ip XXXXX XXXXX YYYYY YYYYY

  access-list 101 extended permit ip XXXXX XXXXXX any  

  ip nat inside source list 101 interface gig 0/0 overload

 

  XXXXX -> Networks on the switch 

  YYYYY -> IP Pool

 

Then let's clear the NAT translations:   clear ip nat translation *

 

+ Now on the Switch, make sure there is route sending the packets back to the router when coming from the IP pool, so the Router will send those packets to the VPN client.

 

Try with a tracert on the client to see where the packet is getting and where it might be getting dropped.

 

Please proceed to rate and mark as Correct this Post!

 

David Castro,

 

Regards,

0 Helpful

Nils Storm
Level 1
Level 1
In response to David Johan Castro Fernandez

‎04-12-2015 04:16 PM

Hi David,

the router doesn't do NAT, so the problem can't related to that. Because of my ISP, I have to run a FritzBox 7360 as the edge device, otherwise I wouldn't have telephone. So the FritzBox is doing the NAT stuff.

 

Ping from MacBook to router inside interface, through VPN

USER:~ CISCO123$ ping 192.168.250.1
PING 192.168.250.1 (192.168.250.1): 56 data bytes
64 bytes from 192.168.250.1: icmp_seq=0 ttl=255 time=420.126 ms
64 bytes from 192.168.250.1: icmp_seq=1 ttl=255 time=125.395 ms
64 bytes from 192.168.250.1: icmp_seq=2 ttl=255 time=175.336 ms
^C
--- 192.168.250.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 125.395/240.286/420.126/128.790 ms
USER:~ CISCO123$ 

 

Traceroute from MacBook to router inside interface, through VPN
USER:~ CISCO123$ traceroute 192.168.250.1
traceroute to 192.168.250.1 (192.168.250.1), 64 hops max, 52 byte packets
 1  192.168.51.1 (192.168.51.1)  207.630 ms
 *  122.724 ms
USER:~ CISCO123$ 

 

Traceroute from MacBook to switch local VLAN interface, through VPN

USER:~ CISCO123$ traceroute 192.168.11.1
traceroute to 192.168.11.1 (192.168.11.1), 64 hops max, 52 byte packets
 1  192.168.51.1 (192.168.51.1)  40.116 ms  39.183 ms  40.270 ms
 2  * * *
 3  * * *
 4  * * *
^C
USER:~ CISCO123$ 

 

Traceroute from MacBook to switch uplink interface, through VPN
USER:~ CISCO123$ traceroute 192.168.250.0
traceroute to 192.168.250.0 (192.168.250.0), 64 hops max, 52 byte packets
 1  192.168.51.1 (192.168.51.1)  190.372 ms  40.370 ms  40.342 ms
 2  * * *
 3  * * *
 4  * * *
^C
USER:~ CISCO123$ 

 

Traceroute from MacBook to switch local VLAN interface, through VPN
USER:~ CISCO123$ traceroute 192.168.21.1
traceroute to 192.168.21.1 (192.168.21.1), 64 hops max, 52 byte packets
 1  192.168.51.1 (192.168.51.1)  464.060 ms  39.454 ms  37.965 ms
 2  * * *
 3  * * *
 4  * * *
^C
USER:~ CISCO123$ 

Ping from MacBook to router local VLAN (DMZ) device, through VPN
USER:~ CISCO123$ ping 176.16.2.12
PING 176.16.2.12 (176.16.2.12): 56 data bytes
64 bytes from 176.16.2.12: icmp_seq=0 ttl=63 time=125.701 ms
64 bytes from 176.16.2.12: icmp_seq=1 ttl=63 time=103.939 ms
64 bytes from 176.16.2.12: icmp_seq=2 ttl=63 time=180.774 ms
64 bytes from 176.16.2.12: icmp_seq=3 ttl=63 time=319.336 ms
64 bytes from 176.16.2.12: icmp_seq=4 ttl=63 time=110.242 ms
64 bytes from 176.16.2.12: icmp_seq=5 ttl=63 time=124.429 ms
64 bytes from 176.16.2.12: icmp_seq=6 ttl=63 time=166.685 ms
64 bytes from 176.16.2.12: icmp_seq=7 ttl=63 time=182.134 ms
64 bytes from 176.16.2.12: icmp_seq=8 ttl=63 time=114.684 ms
64 bytes from 176.16.2.12: icmp_seq=9 ttl=63 time=68.899 ms
64 bytes from 176.16.2.12: icmp_seq=10 ttl=63 time=109.533 ms
64 bytes from 176.16.2.12: icmp_seq=11 ttl=63 time=114.487 ms
^C
--- 176.16.2.12 ping statistics ---
12 packets transmitted, 12 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 68.899/143.404/319.336/61.968 ms
USER:~ CISCO123$ 

 

Traceroute from MacBook to router local VLAN (DMZ) device, through VPN

USER:~ CISCO123$ traceroute 176.16.2.12
traceroute to 176.16.2.12 (176.16.2.12), 64 hops max, 52 byte packets
 1  192.168.51.1 (192.168.51.1)  116.512 ms  37.616 ms  39.268 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * freenas-dmz.CISCO123.local (176.16.2.12)  38.075 ms
USER:~ CISCO123$ 

0 Helpful
Customers Also Viewed These Support Documents