Cisco Site-to-Site VPN Routing Problem

I have a site-to-site VPN tunnel between Office A and Office B via two Cisco Pix firewalls that performs beautifully.  The problem is with Office C that connects with Office B via private T1.  Office B can ping both A and C without fail, but Office A is not able to ping Office C.  The two cisco routers terminating the T1 have the appropriate static routes and I have added the "route inside [Office-C's subnet] 255.255.255.0 [T1 router's ethernet IP]" to the PIX at Office B.  Still cannot ping across from A to C.  I don't have any routes added to the PIX at Office A (mainly because I don't know what that would look like thru the VPN) and the access list at Office A does not reflect an entry that looks like an entry created by the site-to-site VPN wizard ("access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0").  When I tried to add "access-list o_c_20 permit ip office A netmask office C netmask" the VPN tunnel died between A and B (however, we were experiencing intermittent problems with Internet access at office B at this time and these problems have since been resolved, so the VPN could have died for another reason).  What am I missing??
LVL 1
cisco_scrubAsked:
Who is Participating?
 
stressedout2004Connect With a Mentor Commented:
So you have the following setup:

Office A ------------ipsec tunnel------Office B------T1 Line------Office C

I will use the following variable to explain to you what you need.

a) Office A internal network --- 192.168.1.0/24
b) Office B internal network --- 192.168.2.0/24
c) Office C internal network --- 192.168.3.0/24
d) Office A public IP --- 1.1.1.1
e) Office A public IP --- 2.2.2.2
f) T1 Router ---- 192.168.2.2

You need the following:

1) A static route on Office B for Office C subnet pointing back to the T1 router:

route inside 192.168.3.0 255.255.255.0 192.168.2.2

2) On Office C, make sure you have a route for Office A internal network pointing back to the direction of the Office B, either on the T1 router or somewhere else depending on your topology. This is only necessary if Office C gets its internet access differently from Office B.

3) You have to modify the interesting traffic on both Office A and Office B

For Office A:

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto map toOfficeB 10 ipsec-isakmp
crypto map toOfficeB 10 match address 100
crypto map toOfficeB 10 set transform-set 3des
crypto map toOfficeB 10 set peer 2.2.2.2
crypto map toOfficeB interface outside

For Office B:

access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map toOfficeA 10 ipsec-isakmp
crypto map toOfficeA 10 match address 120
crypto map toOfficeA 10 set transform-set 3des
crypto map toOfficeA 10 set peer 1.1.1.1
crypto map toOfficeA interface outside

4) You have to modify the access-list for NAT 0

For office A

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat

For office B

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat

Let me know if you have any question.

















0
 
cisco_scrubAuthor Commented:
That did the trick!!  I am now able to ping across from Office A to Office C, thanks stressedout!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.