Re: Site to Site VPN and LAN Routing

Thanks Ryan,

The 2821-4 router is doing the nat for remote networks.I will check on the
NAT excludes.

Regards,

Haroon

On Fri, Jun 26, 2009 at 11:23 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Haroon,
>
> I assume that 2821-3 is performing NAT for 66 network and that the 2821-1
> is doing NAT for your remote networks. Have you verified your NAT excludes
> for .2, .5, and .7 toward .66 and vice versa. Beyond that, through up IPSec
> and ISAKMP debugs on your receiving side to get more information.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Haroon
> Sent: Friday, June 26, 2009 10:53 AM
> To: Cisco certification
> Subject: Site to Site VPN and LAN Routing
>
> Hello Experts,
>
> We've made some changes recently to the network and trying to resolve a
> couple of issues with subnet which isn't part of the site to site vpn being
> able to reach the remote sites.
>
> Here is the diagram:
> http://www.ccie.pro/LAN-Routing-gs.jpg
>
> Servers on the 192.168.1.x subnet can reach other sites just fine, no
> issues. However, the users on the 192.168.66.x network are unable to reach
> the remote subnets even though access to 192.168.1.x from 66.x subnet is
> working just fine. Now, I've tried editing the existing access list
> associated with the crypto policy by adding the 66.x subnet in it on both
> sides but it hasn't worked. What am I missing?
>
> The config on 192.168.1.1 router:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thepsk address 71.1.1.8
> crypto isakmp key thepsk address 208.1.1.209
> crypto isakmp key thepsk address 70.2.2.78
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> crypto ipsec df-bit clear
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 71.1.1.8
> set peer 208.1.1.209
> set peer 70.2.2.78
> set transform-set svipsec
> match address 186
>
> interface Loopback0
> ip address 12.10.10.1 255.255.255.255
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> crypto map svisakmp
>
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
> access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
> access-list 186 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0 0.0.0.255
> access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 deny ip 192.168.1.0 0.0.0.255 any
> access-list 186 deny ip 192.168.2.0 0.0.0.255 any
> access-list 186 deny ip 192.168.5.0 0.0.0.255 any
> access-list 186 deny ip 192.168.7.0 0.0.0.255 any
> access-list 186 deny ip 192.168.66.0 0.0.0.255 any
> access-list 186 deny ip 172.16.20.0 0.0.0.255 any
>
>
> *Config from one of the remote routers*:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thetwotowers address 12.10.10.1
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 12.10.10.1
> set transform-set svipsec
> match address 185
> !
> !
> !
> !
> interface Ethernet0
> ip address 71.1.1.8 255.255.255.248
> ip nat outside
> ip route-cache flow
> full-duplex
> no cdp enable
> crypto map svisakmp
>
> access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
> access-list 185 deny ip 192.168.2.0 0.0.0.255 any
> access-list 185 deny ip 192.168.1.0 0.0.0.255 any
> access-list 185 deny ip 192.168.66.0 0.0.0.255 any
>
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Haroon
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 26 2009 - 12:31:14 ART