Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
0
Helpful
8
Replies

S2S VPN only works in one direction

Go to solution
mkennedy
Level 1
Level 1

‎06-06-2012 02:36 PM

I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office. 

The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24

The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24

The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines.  The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network.  the site-to-site VPN was set up with the CCP wizard.

How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?

If need be I can post my running-config file with the preshare keys redacted. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mkennedy

‎06-06-2012 11:01 PM

You only need the first line of ACL 125, so pls kindly remove the 2nd line:

  1. access-list 125 permit ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  2. access-list 125 permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

Also change the action of "pass" to "inspect" for the following

class type inspect sdm-cls-VPNOutsideToInside-3

     pass

Hope that resolves the issue.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-06-2012 10:35 PM

yes, pls kindly post the running config.

Check if you have NAT exemption configured as well.

0 Helpful

Go to solution
mkennedy
Level 1
Level 1
In response to Jennifer Halim

‎06-06-2012 10:46 PM

http://pastebin.com/JEx0GXUv

Here is a link to the running config.  Apparently I also have SMARTNET with this router so I am going to get my contract info from the vendor and get help from TAC but i'd rather solve it myself so that troubleshooting the device is more familliar down the road.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mkennedy

‎06-06-2012 11:01 PM

You only need the first line of ACL 125, so pls kindly remove the 2nd line:

  1. access-list 125 permit ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  2. access-list 125 permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

Also change the action of "pass" to "inspect" for the following

class type inspect sdm-cls-VPNOutsideToInside-3

     pass

Hope that resolves the issue.

0 Helpful

Go to solution
mkennedy
Level 1
Level 1
In response to mkennedy

‎06-06-2012 11:41 PM

Amazing!  I find the firewall in IOS terrible complicated.  Any chance you can take a peek at the Remote Access VPN?  It seems to be failing due to a firewall issue as well...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mkennedy

‎06-06-2012 11:54 PM

Totally agree with firewall in IOS being complicated - just too many lines to configure and look through.

Please add the following ACL:

access-list 105 permit ip 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.10.0 0.0.0.255

BTW, you might want to clean up the firewall section as there are lots of repetition in the configuration.

0 Helpful

Go to solution
mkennedy
Level 1
Level 1
In response to Jennifer Halim

‎06-07-2012 09:00 AM

CCP tells me that the rule number 105 is used by something else but there is nothing in my ACL editor to suggest that. 

I imaging all the firewall rules were generated when I tried to re-create the VPN connections with the wizard several times...

0 Helpful

Go to solution
mkennedy
Level 1
Level 1
In response to mkennedy

‎06-07-2012 11:36 AM

Reply to myself I guess.  I edited the line you instructed me to but no luck with RemoteAccess vpn.  I also removed a few of the Firewall entires but I am unsure of many of them and also how to remove all the ACLs and class maps for the easyvpn

Here is a link to the updated running config

http://pastebin.com/vcPHXPvf

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mkennedy

‎06-07-2012 06:45 PM

I would suggest that you change your vpn client pool to be in a totally unique subnet.

For example:

10.20.20.0/24

ip local pool SDM_POOL_1 10.20.20.200 10.20.20.250

Then a few ACLs to be modified:

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 105 permit ip 10.20.20.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 105 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ip access-list extended 106

   5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

ip access-list extended 107

   5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

0 Helpful
Customers Also Viewed These Support Documents