Re: EasyVPN routing problem

chrisgent · ‎10-27-2011

Hi,

I am very new to Cisco routers and IOS so please excuse any ignorance on my part, we are a small start up and I am a make shift sysadmin. We have purchased a Cisco 892W router to provide a fixed VPN tunnel to our VPC hosted by Amazon. The router setup was a cut-and-paste job from Amazon and works perfectly. Since a few of us work out of the office I decided to attempt to setup also setup and EasyVPN server to allow users to access the office servers and AWS VPC. Again following an few how-to's I have got this up and running and can establish a VPN tunnel and login and use the office servers. However I cannot directly access the servers in the VPC (I can login to a server in the office and from there login to a VPC server).

I have spent a few days experimenting with different configurations and trawling the web and lernt a lot but not solved the problem. The router is using zone based security and I found that if I made the Virtual-Template interface a for the ezvpn a member of out-zone, I can see the VPC servers directly through the ezvpn tunnel but then I cannot see the servers in the office. So I am convinced this is a firewall/routing issue.

Further reading on the web about hairpinning has me concerned that I might be trying to achieve something the router is not capable of, I only have I single fixed IP address to the outside world (capability to add more if that helps).

So can anyone help answer the question is what I am trying to achieve possible with the single 892W box? I think it is because I can see both groups of servers depending on what zone I put the ezvpn in. Also what info do I need to provide to help someone diagnose the problem config file/show reports, e.t.c.

Thanks,

Chris.

vabruno · ‎11-11-2011

Can you explain in more details, I understand you have a VPN tunnel between your office and with amazon which is hosting a server couple questions

Is this a LAN-2-LAN tunnel between your company Cisco router and amazon?

What is your ezvpn setup? Do you mean you have client VPN setup on the router also so you can remote VPN from your laptop to your office Cisco router?

Sent from Cisco Technical Support iPhone App

chrisgent · ‎11-18-2011

Hi

Thanks for the reply.

The VPN between amazon and my company is a LAN-2-LAN tunnel configuration setting supplied by amazon, since it is a routing issue it is probably worth metioning that BGP is used to maintain routing infomation between the amazon VPC and our router. (Amazon's BGP requirement is what drove the choice of cisco box in the first place)

So I was trying to add the capability of users to login to the office from home via a VPN and use servers in the office and on amazon. So I set up the router to act as an ezvpn server and configured the client on my mac to connect to the ezvpn server. This worked.

If the virtual interface for the ezvpn server is configured to be in the in-zone then via the VPN I could see the servers in the office but not the amazon servers. If I configured the virtual interface to be in the out-zone I could see servers at amazon but not the office.

The amazon VPN tunnel interfaces are configured to be in the in-zone. Which is why I thought if all interfaces are in the same security zone everything would just work. But that is not the case.