Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Routing Problem

Status
Not open for further replies.

slaquer

Technical User
Jul 29, 2008
11
US


Remote clinic - Cisco 831 router - 192.168.180.0 internal subnet

Local office - Cisco PIX firewall - 192.168.120.0, 192.168.140.0, 192.168.100.0, and 192.168.160.0 internal subnets

L2L IPSEC VPN tunnel works great, but the 192.168.180.0 users on the remote clinic (on the 192.168.180.0 subnet) can only communicate with the 192.168.100.0 subnet on the local site. All other traffic goes out the internet.

Any help would appreciated.

Bulk of config for remote clinic below:


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key DELETED address 70.182.XX.XXX
!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to70.182.XX.XXX
set peer 70.182.XX.XXX
set transform-set ESP-3DES-SHA ESP-3DES-SHA1 SA2 SA3
match address 102
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.180.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description $ETH-WAN$
ip address 98.190.XX.XXX 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 98.190.XX.XXX permanent
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.180.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.180.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.180.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.180.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.140.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 101
 
I do not 'speak' Cisco, so I am not seeing what I want.

In my Linksys I list my local subnet as 192.168.180.0 255.255.255.0 and my remote peer as 192.168.0.0 255.255.0.0

This causes any 192.168.x.x address not in my local subnet to go through the tunnel to the main office. (and on to other remote offices if needed)

It is possible this line
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255

would read
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.0.0 0.0.255.255
but as I say, I don't speak Cisco.

I tried to remain child-like, all I acheived was childish.
 
 http://members.arstechnica.com/x/jimbopalmer/Linksys%20VPN.jpg
There are two things you might want to look at. From the config above I see the crypto map is allowing traffic from address ranges specified in access-list 102. Of the subnets you listed in the local office, only the 192.168.100.0 and 192.168.140.0 subnets are included in the access list.

Maybe it should look something like this instead:

access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.140.0 0.0.0.255
access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.160.0 0.0.0.255


The second thing you may look at is the PIX in your local office. On ours I've had to specify which subnets to not NAT and send over the VPN tunnels instead of out to the internet. Something like this:

!CISCO PIX

! TRAFFIC TO INCLUDE IN THE ENCRYPTION PROCESS
access-list VPN_REMOTE permit ip 192.168.100.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_REMOTE permit ip 192.168.120.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_REMOTE permit ip 192.168.140.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_REMOTE permit ip 192.168.160.0 255.255.255.0 192.168.180.0 255.255.255.0

! VPN ACCESS-LIST TO NOT ALLOW NAT
access-list VPN_NONAT permit ip 192.168.100.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_NONAT permit ip 192.168.120.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_NONAT permit ip 192.168.140.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list VPN_NONAT permit ip 192.168.160.0 255.255.255.0 192.168.180.0 255.255.255.0

! DO NOT NAT FOR VPN CLIENTS IN THIS ACCESS LIST
nat (inside) 0 access-list VPN_NONAT

! NAT ALL NON-VPN TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

! SET ENCRYPTION AND HASH TYPES
crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!CRYPTO MAP FOR VPN
crypto map SA-HQ 1 ipsec-isakmp
crypto map SA-HQ 1 match address VPN_REMOTE
crypto map SA-HQ 1 set peer HQ-ROUTER
crypto map SA-HQ 1 set transform-set TSET

This may not be the solution, but maybe it will give you something to go on.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top