Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
4
Replies

Connecting from a remote computer to a remote office using VPN X 2

amir_prat
Level 1
Level 1

‎04-15-2010 12:26 PM

Hi All

I have the following problem:

we have two offices that are connected with VPN. Office 2 has a server users on office 1 use. Office 1 has remote users that connect using a VPN client.

Users in Office 1 working under NAT communicate with the server in office 2 without a problem.

The issue is that remote users of office 1 can not connect directly to the server on office 2. IE if a remote user wants to communicate with server 172.16.12.123

He can't.

I add a drwaing where router 1 is found in office 1 and router 2 is found in office 2 as well as the router (1721) configuration.

Any help would be appreciated.

vpn.JPG


!
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
clock timezone est -5
clock summer-time zone recurring
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1******R address 111.111.25.34 no-xauth
!
crypto isakmp client configuration group ******
key *****
dns 192.168.82.2
wins 192.168.82.2
domain *****.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 111.111.25.34
set transform-set myset
match address 110
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 22.22.143.212 255.255.255.248
ip access-group filterinE0 in
ip access-group filteroutE0 out
ip nat outside
full-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.82.5 255.255.255.0
ip nat inside
ip policy route-map nonat
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
!
router rip
version 2
network 192.168.82.0
no auto-summary
!
ip local pool ippool 172.16.8.1 172.16.8.250
ip nat pool Router-natpool-1 22.22.143.210 22.22.143.210 netmask 255.255.255.248
ip nat inside source list 150 pool Router-natpool-1 overload
ip nat inside source static 192.168.82.5 22.22.143.209
ip classless
ip route 0.0.0.0 0.0.0.0 22.22.143.214
no ip http server
no ip http secure-server
!
!
!
ip access-list extended filterinE0
permit udp any eq isakmp any eq isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq 1701
permit ip 172.16.12.0 0.0.0.255 any
permit ip 172.16.8.0 0.0.0.255 any
  evaluate infilterE0
deny   ip any any

ip access-list extended filteroutE0
permit ip host 22.22.143.209 any reflect infilterE0
permit ip host 22.22.143.210 any reflect infilterE0
permit ip any 172.16.8.0 0.0.0.255 reflect infilterE0
permit ip any 172.16.12.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp any any eq www
access-list 101 deny   ip any any
access-list 103 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 108 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 150 deny   ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 150 permit ip 192.168.82.0 0.0.0.255 any
!
route-map nonat permit 11
match ip address 103
set ip next-hop 1.1.1.2
!
snmp-server community public RO
snmp-server enable traps tty
radius-server host 192.168.82.2 auth-port 1645 acct-port 1646 key 7 *****
radius-server authorization permit missing Service-Type
!
line con 0
exec-timeout 0 0
password 7 ****
line aux 0
line vty 0 4
password 7 ****
!
no scheduler allocate
ntp clock-period 17180216
ntp server 150.208.72.154
ntp server 198.123.30.132
!
end

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-15-2010 01:26 PM

Hi,

Let's see if I understand....

If you have a L2L tunnel between both offices, then you are not going to be able to connect from the remote office using the VPN client (if using the same public IP as the L2L connection).

This is because the main office will already have a VPN tunnel established with the public IP of the remote site, and will not permit another VPN connection coming from the same IP. (If the VPN clients connect using another IP, then it will work).

Is this your situation?

Federico.

0 Helpful

amir_prat
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-15-2010 01:32 PM

Hi Federico

I am sorry I was not clear. The remote client is on the road or in a totaly different location and public IP. IE there is a remote user, Office 1 and Office 2.

The remote user uses vpn client to connect to office 1.

Thanks

Amir

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to amir_prat

‎04-15-2010 01:38 PM

Ok, I understand now...

So, the VPN client connects to Office 1 and from there, there's another tunnel (L2L) to Office 2.

The VPN clients should access the server on Office 2 correct?

If so, what you need is to include the VPN pool in the L2L interesting traffic, and include the Office 2 LAN on the VPN client traffic.

In other words,

The crypto ACL for the L2L is:

access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255

This ACL is encrypting traffic between Office 2 LAN and Office 1 LAN.

You must include in that ACL a line like this:

access-list 110 permit ip 192.168.82.0 0.0.0.255 x.x.x.x mask  --> x.x.x.x is the pool of VPN clients on Office 1

On the configuration of Router 1, you must also add the 192.168.82.0/24 in the interesting traffic for the VPN clients.

Federico.

0 Helpful

amir_prat
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-16-2010 05:47 AM

Thanks again.

I added the following:

access-list 108 permit ip 192.168.82.0 0.0.0.255 172.16.8.0 0.0.0.255

access-list 108 permit ip 172.16.12.0 0.0.0.255 172.16.8.0 0.0.0.255

access-list 110 permit ip 192.168.82.0 0.0.0.255 172.16.12.0 0.0.0.255

access-list 110 permit ip 172.16.8.0 0.0.0.255 172.16.12.0 0.0.0.255

where I assume ACL 108 used for remote users would let clients access Office 2

and ACL 110 would let the remote users access teh office 1 <--> office 2 VPN

How ever it stilll not working...

Thansk for helping.

Amir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents