Hi Kazim,Thanks for the

onyangoliech · ‎07-08-2014

I have set up IPsec on two routers on two different sites. Site A private IPs 172.16.200.x/24 and site B private IPs 172.16.100.x/24. Router interfaces are configured for the 1st valid host for each as secondary IPs.

On testing, a host on 172.16.200.x can ping the router interface on 172.16.100.x. However the host cannot ping any host inside the remote network and neither can the two routers ping each other.

He's the IPSec config and the ACLs for the HQ, which has two tunnels

crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address hhh.hhh.hhh.hhh no-xauth
crypto isakmp key yyyyy address nnn.nnn.nnn.nnn no-xauth
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map IPSEC_MAP 1 ipsec-isakmp
set peer hhh.hhh.hhh.hhh
set transform-set vpn1
match address VPN-ACL
crypto map IPSEC_MAP 2 ipsec-isakmp
set peer nnn.nnn.nnn.nnn
set transform-set vpn1
match address VPN2-ACL
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connection to the LAN
ip address 172.16.200.1 255.255.255.0 secondary
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connection to the WAN
no ip address
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
crypto map IPSEC_MAP
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT_MAP interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard ACL_NAT
permit 192.168.200.0 0.0.0.255
deny any
!
ip access-list extended ACL_NONAT
permit ip 192.168.200.0 0.0.0.255 any
permit ip 172.16.200.0 0.0.0.255 any
permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended ACL_RTP
permit tcp host 192.168.200.50 any range 60000 64999
permit udp host 192.168.200.50 any range 60000 64999
ip access-list extended IPSEC_TRANSFORM
permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list extended VPN-ACL
permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list extended VPN2-ACL
permit ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended NAT_MAP
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.200.0 0.0.0.255 any
!
!
!
!
!
route-map RM_NONAT permit 10
match ip address ACL_NONAT
!

syed kazim abbas · ‎07-23-2014

Hi,

you have problem with ACL:

ip access-list extended NAT_MAP
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.200.0 0.0.0.255 any

your ACL show that 172.16.200.0 will go outside with nat, you have to modify this ACL and bypass the nat for reaching 172.16.100.0 network

ip access-list extended NAT_MAP
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 any

permit 172.16.200.0 0.0.0.255 any

HTH

kazim

"Please rate and select correct answer if post helpful"

onyangoliech · ‎07-23-2014

Hi Kazim,

Thanks for the response. I've made the change on both routers but still cannot access all hosts in the vpn. The routers cannot even ping the internal class B interface.

syed kazim abbas · ‎07-23-2014

ok send the config other side also, i will check.

onyangoliech · ‎07-23-2014

crypto map IPSEC_MAP
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0 secondary
ip address 172.16.100.1 255.255.255.0 secondary
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 nnn.nnn.nnn.nnt
ip route 192.168.1.0 255.255.255.0 192.168.100.247
!
ip nat inside source list NAT_MAP interface FastEthernet4 overload

ip access-list standard ACL_NAT
permit 192.168.100.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
!
ip access-list extended ACL_NONAT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 172.16.100.0 0.0.0.255 any
ip access-list extended IPSEC_TRANSFORM2
permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
ip access-list extended NAT_MAP
deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.16.100.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
ip access-list extended TRANSFORM_MAP

route-map RM_NONAT permit 10
match ip address ACL_NONAT
!
!
!

syed kazim abbas · ‎07-24-2014

ok, try these two changes on both sides:

interface GigabitEthernet0/1
description Connection to the WAN
no ip nat outside

interface GigabitEthernet0/0
description Connection to the LAN
ip address 172.16.200.1 255.255.255.0 secondary
ip address 192.168.200.1 255.255.255.0
ip nat inside

ip tcp adjust-mss 1452

HTH

Cisco IPSec VPN Tunnel hosts not communicating