Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
1
Replies

multiple subnet VPN connectivity problem

Go to solution
junaid haroon
Level 1
Level 1

‎11-01-2013 11:39 PM

Hi,

I have HQ and branch office.In head office i have two subnets 192.168.0.0,168.168.50.0

and in branch office i have 192.168.1.254

users on subnet 192.168.0.0 can ping access branch office PCS.

where as the users on subnet 192.168.50.0 cannot access the branch office

HQ i have PIX and branch office i have cisco router2600

Pleas help me out

In branch office i have cisco router 2600 its configuration as foolows

Current configuration : 3006 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname KHhhI_RTR

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

no ip domain lookup

ip name-server 202.163.96.3

ip name-server 202.163.96.4

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

!

!

!

object-group network INTERNET-PCS

range 192.168.1.1 192.168.1.10

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ********************* address 124.109.46.242

!

!

crypto ipsec transform-set tset esp-des esp-md5-hmac

!

crypto map smap 10 ipsec-isakmp

set peer 124.109.46.242

set transform-set tset

match address 101

crypto map smap 20 ipsec-isakmp

! Incomplete

set peer 124.109.41.188

set transform-set tset

match address 150

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description inside interface

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface ATM0/2/0

no ip address

no atm ilmi-keepalive

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username gfdgfgfdgfdgfd password 7 45554654jhjghjhg

crypto map smap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.10.100.0 255.255.255.0 192.168.1.202

ip route 124.109.46.240 255.255.255.240 124.109.46.242

ip route 192.168.0.0 255.255.255.0 124.109.46.242

ip route 192.168.4.0 255.255.255.0 124.109.41.188

ip route 192.168.50.0 255.255.255.0 124.109.46.242

ip http server

no ip http secure-server

!

!

ip nat inside source list 111 interface Dialer1 overload

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 124.109.46.245 log

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.0.1

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

!

!

route-map nat permit 10

match ip address 111

!

!

!

control-plane

!

!

!

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

In head office i have PIX following is the configuration

: Saved

: Written by enable_15 at 09:42:43.122 PKT Tue Sep 24 2013

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password QPOcXkiG6/gi/fOw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

clock timezone PKT 5

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_int permit icmp any any echo-reply

access-list outside_int permit icmp any any source-quench

access-list outside_int permit icmp any any unreachable

access-list outside_int permit icmp any any time-exceeded

access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 90 permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.255.0 any

access-list kchi_map permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list kchi_map permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list kchi_map permit ip host 124.109.46.245 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside 192.168.0.229

mtu outside 1500

mtu inside 1500

ip address outside 124.109.46.242 255.255.255.240

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool client_pool 192.168.10.1-192.168.10.254

pdm location 124.109.46.245 255.255.255.255 outside

pdm location 124.109.46.249 255.255.255.255 outside

pdm location 192.168.0.0 255.255.255.255 inside

pdm location 192.168.0.27 255.255.255.255 inside

pdm location 192.168.0.28 255.255.255.255 inside

pdm location 192.168.0.224 255.255.255.255 inside

pdm location 192.168.0.225 255.255.255.255 inside

pdm location 192.168.0.233 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 192.168.3.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

access-group outside_int in interface outside

route outside 0.0.0.0 0.0.0.0 124.109.46.241 1

route outside 192.168.1.0 255.255.255.0 124.29.194.3 1

route outside 192.168.2.0 255.255.255.0 202.163.68.117 1

route outside 192.168.3.0 255.255.255.0 124.29.231.197 1

timeout xlate 0:15:00

timeout conn 0:20:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

snmp-server host inside 192.168.0.229

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.0.173 /bk

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set tset esp-des esp-md5-hmac

crypto dynamic-map dmap 200 set transform-set tset

crypto map smap 6 ipsec-isakmp

crypto map smap 6 match address karachi_map

crypto map smap 6 set peer 124.29.194.3

crypto map smap 6 set transform-set tset

crypto map smap 7 ipsec-isakmp

crypto map smap 7 match address lahore_map

crypto map smap 7 set peer 202.163.68.117

crypto map smap 7 set transform-set tset

crypto map smap 8 ipsec-isakmp dynamic dmap

crypto map smap 9 ipsec-isakmp

crypto map smap 9 match address peshawar_map

crypto map smap 9 set peer 124.29.231.197

crypto map smap 9 set transform-set tset

crypto map smap client configuration address respond

crypto map smap interface outside

isakmp enable outside

isakmp key ******************** address 124.29.194.3 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient idle-time 1800

vpngroup client idle-time 1800

telnet 192.168.0.0 255.255.255.255 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:58748fe6658fcd4a2b4afd9cf717451f

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jeff Van Houten
Level 5
Level 5

‎11-02-2013 05:06 PM

ACEs in access-list 111 are not in the correct order. ACEs in ACLs are processed top down. You are hitting the permit before the deny for 192.168.50.x, therefore the traffic is attempting to be routed out the NAT for the Internet connection, not through the IPSEC tunnel. Move the permit statement last after the 3 deny statements.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jeff Van Houten
Level 5
Level 5

‎11-02-2013 05:06 PM

ACEs in access-list 111 are not in the correct order. ACEs in ACLs are processed top down. You are hitting the permit before the deny for 192.168.50.x, therefore the traffic is attempting to be routed out the NAT for the Internet connection, not through the IPSEC tunnel. Move the permit statement last after the 3 deny statements.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents