06-17-2012 01:49 AM
I am having an issue, I have 2 remote users connecting to our datacenter. Each remote user can access resources at the datacenter, though we would like to know how I can make it so that one remote user can connect to the other remote user through the datacenter.
Here is the config we are using:
CoreRouter#show run
Building configuration...
hostname CoreRouter
!
aaa new-model
!
aaa authentication login default local
aaa authorization network groupauthor local
!
aaa session-id common
ip source-route
!
multilink bundle-name authenticated
!
username <our user>
!
redundancy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key KEY
dns 8.8.8.8
pool VPNippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address <WAN Adddress>
ip nat outside
ip virtual-reassembly in
crypto map clientmap
!
interface FastEthernet0/1
no ip address
!
interface FastEthernet0/1.3
description VLAN-Inside-LAN
encapsulation dot1Q 3
ip address 10.0.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool VPNippool 192.168.1.0 192.168.1.10
ip forward-protocol nd
!
ip nat inside source static tcp 10.0.3.2 3389 interface FastEthernet0/0 3389
ip nat inside source list 102 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 <our datacenter>
!
access-list 101 permit ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.0.3.0 0.0.0.255 any
!
control-plane
!
line vty 0 4
transport input SSH
!
End
Essential our remote users are assigned a 192.168.1.x/24 address, which can ping our internal LAN address 10.0.3.x/24 but can’t ping other 192.168.1.x/24.
Just to make sure that on our remote host it was going back to the datacenter router, which tracert <other remote user> does return our WAN IP for the datacenter router wither the next hope timing out
Any help would be amazing
Thank you
06-17-2012 02:03 AM
I forgot to add that from the remote user side I can ping the Datacenter and internal network, however, from the datacenter I cannot ping the remote users.
IT Done Right
06-19-2012 06:20 PM
Disable the CEF on the router to punt the ping to the router's CPU, and try
please feed me back after doing that
06-19-2012 06:29 PM
I found the solution I modified the ACLs
access-list 101 permit ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 10.0.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.0.3.0 0.0.0.255 any
access-list 102 permit any any
ALC 101 was used in my crypto isakmp
ALC 102 was used in my NAT
This worked, thank you though, thank you for your help.
IT Done Right
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide