Solved: Routing between two remote sites connected via site to site VPN

rbdrake22 · ‎02-09-2010

I'm having a problem pinging between remote sites. Right now the crypto and no nat ACL's for the different sites just affect traffic between the remote site and the main site. I tryed adding routes, adding the other subnets to the crypto and No Nat ACL's at the remote sites... nothing has worked. Any ideas?

Main Site:

192.168.100.0 - Call Manager / Phone VLAN

192.168.1.0/24 - Data VLAN

Site 1:

192.168.70.0/24 - Phone VLAN

192.168.4.0/24 - Data VLAN

Site 2:

192.168.80.0/24 - Phone VLAN

192.168.3.0/24 - Data VLAN

Main Router

Extended IP access list ACL5
    10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    30 permit ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
    40 permit ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255                                                                       )
    50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Extended IP access list ACL6
    10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    30 permit ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
    40 permit ip 192.168.100.0 0.0.0.255 192.168.80.0 0.0.0.255

Extended IP access list NO-NAT
    10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
    20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
    30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
    40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
    320 permit ip 192.168.1.0 0.0.0.255 any
    330 permit ip 192.168.100.0 0.0.0.255 any

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

ip access-list extended NO-NAT

deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

Site 2:

ip access-list extended ACL6
permit ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
ip access-list extended NO-NAT
deny   ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

What do I need to do so these two sites can ping each other? I've looked through the forums but cant seem to find anybody with a similar problem that received a definitive answer.

Thanks in advance!

Ivan Martinon · ‎02-09-2010

Hi there, I am assuming you need site 1 and site 2 to reach each other via the Main site right? if this is the case then you need to define add the following lines to your crypto ACLs:

Main Router

Extended IP access list ACL5

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Extended IP access list ACL6

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permits

Extended IP access list NO-NAT

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure those lines are added before the last permits

ip access-list extended NO-NAT

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ip access-list extended ACL6

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

As well make sure these lines are added before the last permits

ip access-list extended NO-NAT

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So pretty much you are telling your routers with these definitions that the remote sites (sites 1 and 2) are gonna be reached via the main one.

Let me know if this is what you need.

View solution in original post

Ivan Martinon · ‎02-09-2010

Hi there, I am assuming you need site 1 and site 2 to reach each other via the Main site right? if this is the case then you need to define add the following lines to your crypto ACLs:

Main Router

Extended IP access list ACL5

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Extended IP access list ACL6

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permits

Extended IP access list NO-NAT

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ip access-list extended ACL5

permit ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure those lines are added before the last permits

ip access-list extended NO-NAT

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ip access-list extended ACL6

permit ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

As well make sure these lines are added before the last permits

ip access-list extended NO-NAT

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So pretty much you are telling your routers with these definitions that the remote sites (sites 1 and 2) are gonna be reached via the main one.

Let me know if this is what you need.

rbdrake22 · ‎02-10-2010

That worked perfectly. I appreciate your help!

Ivan Martinon · ‎02-10-2010

Excellent, make sure you mark the question answered and do rate useful posts.