04-15-2010 12:26 PM
Hi All
I have the following problem:
we have two offices that are connected with VPN. Office 2 has a server users on office 1 use. Office 1 has remote users that connect using a VPN client.
Users in Office 1 working under NAT communicate with the server in office 2 without a problem.
The issue is that remote users of office 1 can not connect directly to the server on office 2. IE if a remote user wants to communicate with server 172.16.12.123
He can't.
I add a drwaing where router 1 is found in office 1 and router 2 is found in office 2 as well as the router (1721) configuration.
Any help would be appreciated.
!
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
clock timezone est -5
clock summer-time zone recurring
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1******R address 111.111.25.34 no-xauth
!
crypto isakmp client configuration group ******
key *****
dns 192.168.82.2
wins 192.168.82.2
domain *****.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 111.111.25.34
set transform-set myset
match address 110
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 22.22.143.212 255.255.255.248
ip access-group filterinE0 in
ip access-group filteroutE0 out
ip nat outside
full-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.82.5 255.255.255.0
ip nat inside
ip policy route-map nonat
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
router rip
version 2
network 192.168.82.0
no auto-summary
!
ip local pool ippool 172.16.8.1 172.16.8.250
ip nat pool Router-natpool-1 22.22.143.210 22.22.143.210 netmask 255.255.255.248
ip nat inside source list 150 pool Router-natpool-1 overload
ip nat inside source static 192.168.82.5 22.22.143.209
ip classless
ip route 0.0.0.0 0.0.0.0 22.22.143.214
no ip http server
no ip http secure-server
!
!
!
ip access-list extended filterinE0
permit udp any eq isakmp any eq isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 1701
permit ip 172.16.12.0 0.0.0.255 any
permit ip 172.16.8.0 0.0.0.255 any
evaluate infilterE0
deny ip any any
ip access-list extended filteroutE0
permit ip host 22.22.143.209 any reflect infilterE0
permit ip host 22.22.143.210 any reflect infilterE0
permit ip any 172.16.8.0 0.0.0.255 reflect infilterE0
permit ip any 172.16.12.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp any any eq www
access-list 101 deny ip any any
access-list 103 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 108 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 150 deny ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 150 permit ip 192.168.82.0 0.0.0.255 any
!
route-map nonat permit 11
match ip address 103
set ip next-hop 1.1.1.2
!
snmp-server community public RO
snmp-server enable traps tty
radius-server host 192.168.82.2 auth-port 1645 acct-port 1646 key 7 *****
radius-server authorization permit missing Service-Type
!
line con 0
exec-timeout 0 0
password 7 ****
line aux 0
line vty 0 4
password 7 ****
!
no scheduler allocate
ntp clock-period 17180216
ntp server 150.208.72.154
ntp server 198.123.30.132
!
end
04-15-2010 01:26 PM
Hi,
Let's see if I understand....
If you have a L2L tunnel between both offices, then you are not going to be able to connect from the remote office using the VPN client (if using the same public IP as the L2L connection).
This is because the main office will already have a VPN tunnel established with the public IP of the remote site, and will not permit another VPN connection coming from the same IP. (If the VPN clients connect using another IP, then it will work).
Is this your situation?
Federico.
04-15-2010 01:32 PM
Hi Federico
I am sorry I was not clear. The remote client is on the road or in a totaly different location and public IP. IE there is a remote user, Office 1 and Office 2.
The remote user uses vpn client to connect to office 1.
Thanks
Amir
04-15-2010 01:38 PM
Ok, I understand now...
So, the VPN client connects to Office 1 and from there, there's another tunnel (L2L) to Office 2.
The VPN clients should access the server on Office 2 correct?
If so, what you need is to include the VPN pool in the L2L interesting traffic, and include the Office 2 LAN on the VPN client traffic.
In other words,
The crypto ACL for the L2L is:
access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
This ACL is encrypting traffic between Office 2 LAN and Office 1 LAN.
You must include in that ACL a line like this:
access-list 110 permit ip 192.168.82.0 0.0.0.255 x.x.x.x mask --> x.x.x.x is the pool of VPN clients on Office 1
On the configuration of Router 1, you must also add the 192.168.82.0/24 in the interesting traffic for the VPN clients.
Federico.
04-16-2010 05:47 AM
Thanks again.
I added the following:
access-list 108 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 108 permit ip 172.16.12.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 110 permit ip 172.16.8.0 0.0.0.255 172.16.12.0 0.0.0.255
where I assume ACL 108 used for remote users would let clients access Office 2
and ACL 110 would let the remote users access teh office 1 <--> office 2 VPN
How ever it stilll not working...
Thansk for helping.
Amir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide