Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Issues

Status
Not open for further replies.

acollard83

IS-IT--Management
May 1, 2005
179
US
We have a VPN setup between several locations. A Cisco PIX-515e-UR is the VPN server (EZVPN) and PIX501 and a couple PIX515's at remote sites. The issue we are having is the sites can't communicate with each other, we have a Cisco CallManager and inter-office dialing works great from the main site to each of the other sites, but from a remote site to a remote site, it does not work. I am not sure if it's a routing issue or what. Any help would be appreciated.
 
(this was the approved technique on a Netgear router I used, and it works with input errors on Linksys RV0**, but I do not know it will work on a Cisco)

My central office is 192.168.10.0 and uses a netmask of 255.255.255.0 to get to the branch offices.

My branch offices are 192.168.20.0, .30, .40, .50, .60, .70, and 192.168.123.0 and use a netmask of 255.255.0.0 to get to the head office.

If an IP address maps to my local subnet the PC never ask the router how to get there.

If the IP maps to 192.168.x.x the packet goes to the head office VPN. If it is not 192.168.10.x, the Head office sees that it is not its subnet and sends it on to another branch office.

If the IP is not in 192.168.x.x, it goes to the internet.


I tried to remain child-like, all I acheived was childish.
 
We are running Cisco EZ VPN. The config at the main office is below. We need to get this fixed ASAP. Internal calls between the remote sites are not able to go through.

PIX Version 8.0(3)
!
hostname PIX515
domain-name ustransport.local
enable password eHSw3O/vDQYG53ZB encrypted
names
dns-guard
!
interface Ethernet0
description Comcast
speed 100
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
nameif outside2
security-level 4
ip address x.x.x.x 255.255.255.248
!
interface Ethernet3
shutdown
nameif intf3
security-level 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
passwd HK/vZasaheGFeLV4 encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ustransport.local
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit udp any any eq 10014
access-list acl_outside extended permit udp any any eq 10013
access-list acl_outside extended permit udp any any eq 10012
access-list acl_outside extended permit udp any any eq 10011
access-list acl_outside extended permit udp any any eq 10010
access-list acl_outside extended permit udp any any eq 10009
access-list acl_outside extended permit udp any any eq 10008
access-list acl_outside extended permit udp any any eq 10007
access-list acl_outside extended permit udp any any eq 10006
access-list acl_outside extended permit udp any any eq 10005
access-list acl_outside extended permit udp any any eq 10004
access-list acl_outside extended permit udp any any eq 10003
access-list acl_outside extended permit udp any any eq 10002
access-list acl_outside extended permit udp any any eq 5004
access-list acl_outside extended permit udp any any eq 10000
access-list acl_outside extended permit tcp any any eq sip
access-list acl_outside extended permit udp any any eq sip
access-list acl_outside extended permit tcp any any eq 3389
access-list acl_outside extended permit tcp any any eq www
access-list acl_outside extended permit tcp any any eq https
access-list acl_outside extended permit tcp any any eq 1433
access-list acl_outside extended permit udp any any eq 1433
access-list acl_outside extended permit tcp any any eq smtp
access-list acl_outside extended permit tcp any any eq 465
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 10.22.0.0 255.255.0.0
access-list EZVPN1 extended permit ip 192.168.2.0 255.255.255.0 10.22.1.0 255.255.255.0
access-list EZVPN2 extended permit ip 192.168.2.0 255.255.255.0 10.22.2.0 255.255.255.0
access-list EZVPN3 extended permit ip 192.168.2.0 255.255.255.0 10.22.3.0 255.255.255.0
access-list EZVPN4 extended permit ip 192.168.2.0 255.255.255.0 10.22.4.0 255.255.255.0
access-list EZVPN5 extended permit ip 192.168.2.0 255.255.255.0 10.22.5.0 255.255.255.0
access-list EZVPN6 extended permit ip 192.168.2.0 255.255.255.0 10.22.6.0 255.255.255.0
access-list EZVPN7 extended permit ip 192.168.2.0 255.255.255.0 10.22.7.0 255.255.255.0
access-list EZVPN8 extended permit ip 192.168.2.0 255.255.255.0 10.22.8.0 255.255.255.0
access-list EZVPN9 extended permit ip 192.168.2.0 255.255.255.0 10.22.9.0 255.255.255.0
access-list EZVPN10 extended permit ip 192.168.2.0 255.255.255.0 10.22.10.0 255.255.255.0
access-list EZVPN11 extended permit ip 192.168.2.0 255.255.255.0 10.22.11.0 255.255.255.0
access-list EZVPN12 extended permit ip 192.168.2.0 255.255.255.0 10.22.12.0 255.255.255.0
access-list EZVPN13 extended permit ip 192.168.2.0 255.255.255.0 10.22.13.0 255.255.255.0
access-list EZVPN14 extended permit ip 192.168.2.0 255.255.255.0 10.22.14.0 255.255.255.0
access-list EZVPN15 extended permit ip 192.168.2.0 255.255.255.0 10.22.15.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1000000
logging monitor notifications
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 10014 192.168.2.21 10014 netmask 255.255.255.255
static (inside,outside) udp interface 10013 192.168.2.21 10013 netmask 255.255.255.255
static (inside,outside) udp interface 10012 192.168.2.21 10012 netmask 255.255.255.255
static (inside,outside) udp interface 10011 192.168.2.21 10011 netmask 255.255.255.255
static (inside,outside) udp interface 10010 192.168.2.21 10010 netmask 255.255.255.255
static (inside,outside) udp interface 10009 192.168.2.21 10009 netmask 255.255.255.255
static (inside,outside) udp interface 10008 192.168.2.21 10008 netmask 255.255.255.255
static (inside,outside) udp interface 10007 192.168.2.21 10007 netmask 255.255.255.255
static (inside,outside) udp interface 10006 192.168.2.21 10006 netmask 255.255.255.255
static (inside,outside) udp interface 10005 192.168.2.21 10005 netmask 255.255.255.255
static (inside,outside) udp interface 10004 192.168.2.21 10004 netmask 255.255.255.255
static (inside,outside) udp interface 10003 192.168.2.21 10003 netmask 255.255.255.255
static (inside,outside) udp interface 10002 192.168.2.21 10002 netmask 255.255.255.255
static (inside,outside) udp interface 5004 192.168.2.21 5004 netmask 255.255.255.255
static (inside,outside) udp interface 10000 192.168.2.21 10001 netmask 255.255.255.255
static (inside,outside) tcp interface sip 192.168.2.21 sip netmask 255.255.255.255
static (inside,outside) udp interface sip 192.168.2.21 sip netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.11 https netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.2.12 1433 netmask 255.255.255.255
static (inside,outside) udp interface 1433 192.168.2.12 1433 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.2.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 465 192.168.2.10 465 netmask 255.255.255.255
static (inside,outside2) tcp interface smtp 192.168.2.10 smtp netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 200
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set 3DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map DYNMAP 5 set transform-set 3DES-MD5
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP
crypto map VPN interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 192.168.2.10 207.179.70.27
dhcpd domain ustransport.local
dhcpd option 150 ip 192.168.2.20
!
dhcpd address 192.168.2.100-192.168.2.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy EZVPN6 internal
group-policy EZVPN6 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN6
nem enable
group-policy EZVPN7 internal
group-policy EZVPN7 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN7
nem enable
group-policy EZVPN4 internal
group-policy EZVPN4 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN4
nem enable
group-policy EZVPN14 internal
group-policy EZVPN14 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN14
nem enable
group-policy EZVPN5 internal
group-policy EZVPN5 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN5
nem enable
group-policy EZVPN15 internal
group-policy EZVPN15 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN15
nem enable
group-policy EZVPN2 internal
group-policy EZVPN2 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN2
nem enable
group-policy EZVPN12 internal
group-policy EZVPN12 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN12
nem enable
group-policy EZVPN3 internal
group-policy EZVPN3 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN3
nem enable
group-policy EZVPN13 internal
group-policy EZVPN13 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN13
nem enable
group-policy EZVPN10 internal
group-policy EZVPN10 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN10
nem enable
group-policy EZVPN1 internal
group-policy EZVPN1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN1
nem enable
group-policy EZVPN11 internal
group-policy EZVPN11 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN11
nem enable
group-policy EZVPN8 internal
group-policy EZVPN8 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN8
nem enable
group-policy EZVPN9 internal
group-policy EZVPN9 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN9
nem enable
username EZVPN6 password pppppp encrypted
username EZVPN7 password pppppp encrypted
username EZVPN4 password pppppp encrypted
username EZVPN14 password pppppp encrypted
username EZVPN5 password ppppppp encrypted
username EZVPN15 password ppppp encrypted
username EZVPN2 password pppppp encrypted
username EZVPN12 password ppppp encrypted
username EZVPN3 password pppppp encrypted
username EZVPN13 password ppppppp encrypted
username EZVPN10 password ppppppp encrypted
username EZVPN1 password ppppppp encrypted
username EZVPN11 password ppppp encrypted
username EZVPN8 password ppppppp encrypted
username EZVPN9 password pppppppp encrypted
tunnel-group EZVPN1 type remote-access
tunnel-group EZVPN1 general-attributes
default-group-policy EZVPN1
tunnel-group EZVPN1 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN2 type remote-access
tunnel-group EZVPN2 general-attributes
default-group-policy EZVPN2
tunnel-group EZVPN2 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN3 type remote-access
tunnel-group EZVPN3 general-attributes
default-group-policy EZVPN3
tunnel-group EZVPN3 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN4 type remote-access
tunnel-group EZVPN4 general-attributes
default-group-policy EZVPN4
tunnel-group EZVPN4 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN5 type remote-access
tunnel-group EZVPN5 general-attributes
default-group-policy EZVPN5
tunnel-group EZVPN5 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN6 type remote-access
tunnel-group EZVPN6 general-attributes
default-group-policy EZVPN6
tunnel-group EZVPN6 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN7 type remote-access
tunnel-group EZVPN7 general-attributes
default-group-policy EZVPN7
tunnel-group EZVPN7 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN8 type remote-access
tunnel-group EZVPN8 general-attributes
default-group-policy EZVPN8
tunnel-group EZVPN8 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN9 type remote-access
tunnel-group EZVPN9 general-attributes
default-group-policy EZVPN9
tunnel-group EZVPN9 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN10 type remote-access
tunnel-group EZVPN10 general-attributes
default-group-policy EZVPN10
tunnel-group EZVPN10 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN11 type remote-access
tunnel-group EZVPN11 general-attributes
default-group-policy EZVPN11
tunnel-group EZVPN11 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN12 type remote-access
tunnel-group EZVPN12 general-attributes
default-group-policy EZVPN12
tunnel-group EZVPN12 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN13 type remote-access
tunnel-group EZVPN13 general-attributes
default-group-policy EZVPN13
tunnel-group EZVPN13 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN14 type remote-access
tunnel-group EZVPN14 general-attributes
default-group-policy EZVPN14
tunnel-group EZVPN14 ipsec-attributes
pre-shared-key *
tunnel-group EZVPN15 type remote-access
tunnel-group EZVPN15 general-attributes
default-group-policy EZVPN15
tunnel-group EZVPN15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
 
That was added just after I posted. Still doesn't do the trick. Unable to see the other networks.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top