cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1682
Views
0
Helpful
8
Replies

S2S VPN only works in one direction

mkennedy
Level 1
Level 1

I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office. 

The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24

The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24

The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines.  The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network.  the site-to-site VPN was set up with the CCP wizard.

How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?

If need be I can post my running-config file with the preshare keys redacted. 

1 Accepted Solution

Accepted Solutions

You only need the first line of ACL 125, so pls kindly remove the 2nd line:

  1. access-list 125 permit ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  2. access-list 125 permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

Also change the action of "pass" to "inspect" for the following

class type inspect sdm-cls-VPNOutsideToInside-3

     pass

Hope that resolves the issue.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

yes, pls kindly post the running config.

Check if you have NAT exemption configured as well.

http://pastebin.com/JEx0GXUv

Here is a link to the running config.  Apparently I also have SMARTNET with this router so I am going to get my contract info from the vendor and get help from TAC but i'd rather solve it myself so that troubleshooting the device is more familliar down the road.

You only need the first line of ACL 125, so pls kindly remove the 2nd line:

  1. access-list 125 permit ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  2. access-list 125 permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

Also change the action of "pass" to "inspect" for the following

class type inspect sdm-cls-VPNOutsideToInside-3

     pass

Hope that resolves the issue.

Amazing!  I find the firewall in IOS terrible complicated.  Any chance you can take a peek at the Remote Access VPN?  It seems to be failing due to a firewall issue as well...

Totally agree with firewall in IOS being complicated - just too many lines to configure and look through.

Please add the following ACL:

access-list 105 permit ip 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.10.0 0.0.0.255

BTW, you might want to clean up the firewall section as there are lots of repetition in the configuration.

CCP tells me that the rule number 105 is used by something else but there is nothing in my ACL editor to suggest that. 

I imaging all the firewall rules were generated when I tried to re-create the VPN connections with the wizard several times...

Reply to myself I guess.  I edited the line you instructed me to but no luck with RemoteAccess vpn.  I also removed a few of the Firewall entires but I am unsure of many of them and also how to remove all the ACLs and class maps for the easyvpn

Here is a link to the updated running config

http://pastebin.com/vcPHXPvf

I would suggest that you change your vpn client pool to be in a totally unique subnet.

For example:

10.20.20.0/24

ip local pool SDM_POOL_1 10.20.20.200 10.20.20.250

Then a few ACLs to be modified:

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 105 permit ip 10.20.20.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 105 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ip access-list extended 106

   5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

ip access-list extended 107

   5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255