This is what I was using and I could not figure out why it did not work. The HQ network is 192.168.4.0/24 and this remote office is 192.168.24.0/24

crypto map REM_RTR 10 ipsec-isaksmp

description Tunnel to HQ

set peer xx.xx.36.80

set transform-set myset

match address 120

interface fa0/0

crypto map REM_RTR

access-list 120 permit ip any 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 any

I am obviously missing something right in front of my face but can not see it.

Hello Jonathan,

So this is the config of the remote site, and you want to send all traffic from .24 on the vpn tunnel.

On the ACL should be.

access-list 120 permit ip 192.168.24.0 255.255.255.0 any

Regards,

Julio

I have corrected the access-list and when performing a trace route from a local machine it is still dumped out on to the local internet instead of routing through to HQ.

Any suggestions?

Hello Jonathan,

You have a nat 0 rule right?

Can you provide it it should be something similar to this:

nat (inside) 0 access-list vpn

access-list vpn should be:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

please provide the following:

packet-tracer input inside tcp 192.168.24.20 1025 4.2.2.2 80

Regards,

Julio

Rate helpful posts!

I actually removed the nat outside and inside statements from the remote router I am trying to acomplish this on. I would rather all nat related things go through our corporate link.

I tried to issue the packet-tracer command and it seems my version of ios does not have that command.

What's your local (client) subnet? I ask because the postings above changed your 3rd octet from .4 to .24.

"packet-tracer" is an ASA command and not available on IOS.

.24 is the remote subnet. .4 is the HQ subnet.

OK, I see that now after re-reading the above. So, on the remote site, your access-list vpn is currently one line as follows:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

You do need the nat 0 rule there as Julio noted above so as to exempt the remote site's traffic from being NATted.

You VPN is up, yes? (show crypto isakmp sa)

If all the above are confirmed, then please try "show access-list vpn", introduce traffic into the tunnel and repeat the "show" command. You should see the "hitcnt" incrementing

Hello Jonathan and Marvin,

Thanks for that Marvin I forgot we were on a Router, yeap Packet-tracer is not supported on IOS routers.

The ACL should be like:

access-list vpn permit ip 192.168.24.0 0.0.0.255 any

So you will send all traffic over the VPN tunnel, Just to let you know after you make a change to a VPN configuration ( in this case will be a phase 2 change) you need to turn down the tunnel and then re-build it so the peers can negotiate the VPN tunnel with the new setup.

A clear crypto sa peer x.x.x.x ( remote access ip address) should do it.

Regards,

Julio

Do rate helpful posts!!

Ok I will re add the nat inside, outside, and over load and try the nat ACL rule. Let's hope that it works.

Actually I can not utilize the NAT 0 rule. The HQ is a cisco 2811 router not a PIX.

Marvin,

Yes the tunnels are up. I am able to access all networks fine. The only part that is not working is the forcing of internet data across the tunnel.

Hello Jonathan,

So just take out all the nat statements.

You do not need to nat the VPN traffic.

Regards,

Julio

I have removed nat, added the crypto map, and modified the access list. I can browse the remote network but am unable to browse the web. On the HQ router I added permit ip 192.168.24.0 255.255.255.0 any to the nat access list. Any ideas what else I need to change on that router?

The solution is very close!