cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37
Views
0
Helpful
1
Replies
Highlighted

No data between and VPN client and site to site tunnel

Hello,

I have a router (router A) that has a site to site IPSec tunnel to a different remote router (router B).

Router A is also configured to accept incoming connections from Cisco VPN clients. 

I can ping devices behind router B from router A and I can ping devices behind router A from VPN clients connected to it.

The problem is that I can not ping devices behind router B from VPN clients connected to router A.

I've been trying to figure this out for a while now and I just cannot imagine what I'm missing. If anybody can point me in the right direction, it would be greatly appreciated.

Here is the configuration of router A:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2  
 lifetime 28800
crypto isakmp key test address 10.1.1.1     no-xauth
!
crypto isakmp client configuration group myvpn
 key removed
 pool vpnpool
 acl 120
 save-password
!
crypto ipsec transform-set myvpn esp-3des esp-md5-hmac 
 mode tunnel
!
!
!
crypto dynamic-map my_Dynmap 30
 set transform-set myvpn 
crypto dynamic-map my_Dynmap 40
 set peer 10.1.1.1
 set transform-set myvpn 
 match address 150
!         
!         
!
crypto map mymap client authentication list vpnlist
crypto map mymap isakmp authorization list vpngroup
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic my_Dynmap 
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!         
interface FastEthernet4
 description "WAN interface"
 ip address 10.1.1.11 255.255.255.248
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map mymap
!
interface Vlan1
 description LAN
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip local pool vpnpool 10.20.20.1 10.20.20.253
!
ip nat inside source list 106 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.9
!
!
access-list 106 deny   ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 106 deny   ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 192.168.111.0 0.0.0.255 any
access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.20.20.0 0.0.0.255

1 REPLY 1
Highlighted

I found the problem so I'll

I found the problem so I'll answer my own question in case somebody else has a similar problem.

The problem was with the access list for the site to site tunnel:

 

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.20.20.0 0.0.0.255

The last line matches all packets coming from the tunnel to VPN users. So the packets aren't sent to the VPN users encrypted.

If I remove that line from the access list, everything works:

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255