VPN Routing Problem

Discussion in 'Cisco' started by slaquer, Feb 15, 2009.

  1. slaquer

    slaquer

    Joined:
    Jan 3, 2009
    Messages:
    9
    I have a working L2L VPN setup between a PIX and an 831 router.

    At the 831 (remote) site, I am using the 192.168.180.0 subnet.

    At the PIX (local) site, I have the following subnets:

    172.16.0.0
    192.168.100.0
    192.168.120.0
    192.168.140.0
    192.168.140.0

    I am tunneling 192.168.100.0 from the remote site no problem. This traffic passes back and forth without issue. I cannot get the other subnet to tunnel. In fact, when I attempt to use the other subnets at the local site from the remote, it attempts to go out the internet, not through the tunnel.

    Please look at this config and offer suggestions / solutions. FYI - I added the routes after playing with this for several hours - there were no routes for the local subnets initially.

    Thanks

    ****************

    hostname GOESHERE
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 52000 debugging
    !
    username DELETED privilege 15 password 0 DELETED
    no aaa new-model
    ip subnet-zero
    ip dhcp excluded-address 192.168.180.1 192.168.180.99
    ip dhcp excluded-address 192.168.180.151 192.168.180.254
    !
    ip dhcp pool Pool180
    --More--   import all
    network 192.168.180.0 255.255.255.0
    domain-name max.local
    dns-server 192.168.100.200 151.168.1.8
    default-router 192.168.180.1
    option 150 ip 192.168.100.4
    lease infinite
    !
    !
    ip ips po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key DELETED address 70.182.XX.XXX
    !

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to70.182.XX.XXX
    set peer 70.182.XX.XXX
    set transform-set ESP-3DES-SHA ESP-3DES-SHA1 SA2 SA3
    match address 102
    !
    !
    !
    interface Ethernet0
    description $ETH-LAN$
    ip address 192.168.180.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    interface Ethernet1
    description $ETH-WAN$
    ip address 98.190.XX.XXX 255.255.255.0
    --More--   ip nat outside
    ip virtual-reassembly
    duplex auto
    crypto map SDM_CMAP_1
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    --More--   speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 98.190.XX.XXX permanent
    ip route 172.16.0.0 255.255.0.0 192.168.100.104 permanent
    ip route 192.168.100.0 255.255.255.0 192.168.100.104 permanent
    ip route 192.168.140.0 255.255.255.0 192.168.100.104 permanent
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
    !
    !
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.180.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 100 permit ip 192.168.180.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 101 remark SDM_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
    --More--  access-list 101 permit ip 192.168.180.0 0.0.0.255 any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 102 permit ip 192.168.180.0 0.0.0.255 172.16.0.0 0.0.0.255
    access-list 102 permit ip 192.168.180.0 0.0.0.255 192.168.140.0 0.0.0.255
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    password DELETED
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    --More--  end
     
    slaquer, Feb 15, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. zher
    Replies:
    2
    Views:
    9,099
  2. OZ
    Replies:
    3
    Views:
    11,095
  3. joeblow
    Replies:
    3
    Views:
    1,252
    Philip D'Ath
    Mar 14, 2005
  4. banana7

    VPN to VPN Routing

    banana7, Sep 17, 2007, in forum: Cisco
    Replies:
    0
    Views:
    386
    banana7
    Sep 17, 2007
  5. peachmach5@yahoo.com
    Replies:
    1
    Views:
    1,508
Loading...

Share This Page