RE: Site to Site VPN and LAN Routing

Haroon,

I assume that 2821-3 is performing NAT for 66 network and that the 2821-1 is doing NAT for your remote networks. Have you verified your NAT excludes for .2, .5, and .7 toward .66 and vice versa. Beyond that, through up IPSec and ISAKMP debugs on your receiving side to get more information.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Haroon
Sent: Friday, June 26, 2009 10:53 AM
To: Cisco certification
Subject: Site to Site VPN and LAN Routing

Hello Experts,

We've made some changes recently to the network and trying to resolve a
couple of issues with subnet which isn't part of the site to site vpn being
able to reach the remote sites.

Here is the diagram:
http://www.ccie.pro/LAN-Routing-gs.jpg

Servers on the 192.168.1.x subnet can reach other sites just fine, no
issues. However, the users on the 192.168.66.x network are unable to reach
the remote subnets even though access to 192.168.1.x from 66.x subnet is
working just fine. Now, I've tried editing the existing access list
associated with the crypto policy by adding the 66.x subnet in it on both
sides but it hasn't worked. What am I missing?

The config on 192.168.1.1 router:

crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key thepsk address 71.1.1.8
crypto isakmp key thepsk address 208.1.1.209
crypto isakmp key thepsk address 70.2.2.78
!
!
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map svisakmp 1 ipsec-isakmp
 set peer 71.1.1.8
 set peer 208.1.1.209
 set peer 70.2.2.78
 set transform-set svipsec
 match address 186

interface Loopback0
 ip address 12.10.10.1 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 crypto map svisakmp

access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 186 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 186 deny ip 192.168.1.0 0.0.0.255 any
access-list 186 deny ip 192.168.2.0 0.0.0.255 any
access-list 186 deny ip 192.168.5.0 0.0.0.255 any
access-list 186 deny ip 192.168.7.0 0.0.0.255 any
access-list 186 deny ip 192.168.66.0 0.0.0.255 any
access-list 186 deny ip 172.16.20.0 0.0.0.255 any

*Config from one of the remote routers*:

crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key thetwotowers address 12.10.10.1
!
!
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
!
crypto map svisakmp 1 ipsec-isakmp
 set peer 12.10.10.1
 set transform-set svipsec
 match address 185
!
!
!
!
interface Ethernet0
 ip address 71.1.1.8 255.255.255.248
 ip nat outside
 ip route-cache flow
 full-duplex
 no cdp enable
 crypto map svisakmp

access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 185 deny ip 192.168.2.0 0.0.0.255 any
access-list 185 deny ip 192.168.1.0 0.0.0.255 any
access-list 185 deny ip 192.168.66.0 0.0.0.255 any

Any help would be greatly appreciated.

Thanks,

Haroon

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 26 2009 - 11:23:51 ART