cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3800
Views
0
Helpful
6
Replies

Routing VPN traffic to multiple subnets

jadragna1
Level 1
Level 1

Hi Everyone,

Ive searched this topic trying to find a solution and havent been able to so Im posting here. I have attached a diagram of our setup. I am trying to allow traffic to pass through the 1921 router then to the firewall and across he VPNs to the other networks and vice versa. So if a packet needs to go from the 10.1.97.0 network to the 10.1.96.0 network it would travel across the first VPN to the router then to the ASA5512X across the next VPN tunnel to the final ASA5505 and the 10.1.96.0 network.

The reason I am trying to accomplish this is due to pings time ranging from 130ms to 170ms when a VPN is connected from the 10.1.97.0 network to the 10.1.96.0 network. The higher ping times are due to crossing from one internet provider to another. One being Centurylink bonded dsl to Charter cable internet. I am trying to decrease the ping times by creating a more direct route from the Centurylink connected sites to the Charter connected sites. The ping time between our sites on charter are around 30ms so Im hoping i can achieve average ping time of 100ms doing it this way.

The main reason for the ping time concern is that Voice traffic is traveling between these sites and we are having problems with dropped calls and access to voicemail which resides on the 10.1.99.0 network. The main protocol for the Avaya phone system we are using is H323 for the calls between sites and the voicemail access. This problem is ongoing and very frustrating as Ive spoken with Cisco VPN support and they have concluded that VPN tunnel is not the issue. I recently setup QoS with Cisco and we are still seeing the dropped calls. Any ideas on that matter are much appreciated.

Questions:

1. What VPN settings do I need to apply to allow traffic from multiple subnets to travel through the VPNs?

2. What routing do I need to apply to allow the traffic to go from one subnet to another on the Cisco 1921?

3. Is there another method that I should be trying to implement to improve connection between site?

4. Should I be using a GRE tunnel?

Cisco 1921 Router config

Current configuration : 6634 bytes

!

! Last configuration change at 21:02:27 PCTime Mon Sep 23 2013 by ITDept

! NVRAM config last updated at 21:07:34 PCTime Mon Sep 23 2013 by ITDept

! NVRAM config last updated at 21:07:34 PCTime Mon Sep 23 2013 by ITDept

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AdminR2

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 1iDzygew6/ax5OYs4NTIrsu0OBZbQFWgLxSntkX7yiw

enable password

!

!

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

clock timezone PCTime -7 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip cef

!

!

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

!

!

ip domain name corp.centermh.org

ip name-server 10.1.99.20

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-2777336015

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2777336015

revocation-check none

rsakeypair TP-self-signed-2777336015

!

!

crypto pki certificate chain TP-self-signed-2777336015

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32373737 33333630 3135301E 170D3133 30333135 30383235

  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37373733

  33363031 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100ADB1 8CC59417 83314C49 5CEC39C7 7AEFF7E5 EE9A859A 1BD75D51 EB14DE26

  304B00A9 8F9A6D76 2CF398DC 3635992C 730FB33D E3143DF4 AC4E8D74 C2F6876D

  57095E6E F4C45A00 48D62AC6 450C4530 1D6B4912 B6E55AE3 F8626087 49BA4359

  425D8AE1 E696B820 ADA92532 127DD49B B1920897 E8042CA3 93365100 D16E9B4F

  22B90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1454CFA9 6B96D0E0 24FE836E 8CC956C7 8A9946D9 9F301D06

  03551D0E 04160414 54CFA96B 96D0E024 FE836E8C C956C78A 9946D99F 300D0609

  2A864886 F70D0101 05050003 8181008A 2C1C6549 E0022F8C 7AAEDD14 867F7C5F

  5709A81F C3170D09 04E923DF 4D25F763 5CF7BAAE E6F13C49 6CFF503C 60B3263A

  4C8504B3 6E5754E3 6037E941 354C2215 FBF624FF AFC70F77 8318922A 720B08B6

  C43B0498 710FF66C 54033B40 0870BC50 EC1FB020 B7CB73EA 0B7F9E63 0D59B9DB

  9111B03C C087467F 5AE0502F 011BD8

        quit

license udi pid CISCO1921/K9 sn FGL1711252C

!

!

username IT privilege 15 secret 4 /n3BsS8syn34LtKyXZMxqpNtiHliLrlO6pXShykxR3o

!

redundancy

!

!

!

!

!

ip ssh time-out 60

ip ssh version 2

!

class-map match-any VOICE

match protocol rtp

!

policy-map sdm-qos-test-123

class class-default

policy-map CCP-QoS-Policy-1

class VOICE

  set dscp ef

!

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key

!fghjfhfrghfgh

! address 63.225.235.153

crypto isakmp key

!fghjfhfrghfgh

! address 67.230.252.120

!

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-AES-256-SHA-2 esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to63.225.235.153

set peer 63.225.235.153

set transform-set ESP-AES-256-SHA

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to67.230.252.120

set peer 67.230.252.120

set transform-set ESP-AES-256-SHA-2

match address 102

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$

bandwidth 896

bandwidth receive 5120

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 10.2.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Dialer1

ip address 63.227.19.220 255.255.255.0

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication pap callback

ppp chap hostname

middlewest576@qwest.commidwesterncol739@qwest.net

ppp chap password 0 hgjkghkjgh

ppp pap sent-username

middlewest576@qwest.com

password 0 hgjkghkjgh

crypto map SDM_CMAP_1

service-policy output CCP-QoS-Policy-1

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 207.225.112.2 5

ip route 10.1.95.0 255.255.255.0 207.220.115.5 2

ip route 10.1.96.0 255.255.255.0 10.2.99.2

ip route 10.1.97.0 255.255.255.0 207.220.115.5

ip route 10.1.99.0 255.255.255.0 10.2.99.2

!

ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.2.99.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.1.99.0 0.0.0.255 10.1.97.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.1.99.0 0.0.0.255 10.1.95.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.1.99.0 0.0.0.255 10.1.97.0 0.0.0.255

access-list 101 permit ip 10.2.99.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.1.99.0 0.0.0.255 10.1.95.0 0.0.0.255

access-list 150 remark acl for delta

access-list 150 remark CCP_ACL Category=1

access-list 150 permit ip 10.1.97.0 0.0.0.255 10.1.95.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

!

!

control-plane

!

!

alias exec traffic show ip nbar protocol-discovery stats bit-rate top-n 10

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

transport output telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 128.138.140.44 prefer source Dialer1

!

end

Network diagram of connections between site for upload 9-24-13.jpg

6 Replies 6

Rashid Thompson
Level 1
Level 1

Jason,

It looks like your  on the right track. If your going to use a route map, I suggest you use an extended ACL and then add all the subnet you want to go through the VPN Tunnel.

smithcolm
Level 1
Level 1

I went down the ACL route and this worked for me

i used the ASDM gui for Site A ASA 5510, went into the ACL "outside cryptomap_1"  this connected site A to a remote VPN site B (cisco 1921)

i added ACL source for subnet in Site C and destination site B

added similar ACLs on other routers and i have connectivity between site B and C through site A.

Hi Colm,

Can you send me some command line example of what you did or a screen shot of the asdm gui showing the ACL?

pic is ACL from ASA (asdm)

10.2.10.0 is site C  and Saudi/16 is Site B  (10.200.x.x is Saudi office too, 9/10/11/12/13 + 14 - over complicated setup - not done by me)

these are the ACLs on the Saudi (site B router)

101 is internet, so this restricts networks from access the VPN networks over internet ACL

102 is VPN which allows

access-list 101 deny   ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 101 deny   ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 101 deny   ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 101 deny   ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 101 deny   ip 10.200.13.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 101 deny   ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 10.200.13.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 10.200.14.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

access-list 102 permit ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 102 permit ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 102 permit ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 102 permit ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255

access-list 102 permit ip 10.200.13.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.200.13.0 0.0.0.255 10.2.10.0 0.0.0.255

also put in a NAT exempt rule here

Colm,

Thank you very much Colm. Ill make these changes and see if everything start working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: