[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Cisco Site-to-Site VPN Routing Problem

I have a site-to-site VPN tunnel between Office A and Office B via two Cisco Pix firewalls that performs beautifully.  The problem is with Office C that connects with Office B via private T1.  Office B can ping both A and C without fail, but Office A is not able to ping Office C.  The two cisco routers terminating the T1 have the appropriate static routes and I have added the "route inside [Office-C's subnet] [T1 router's ethernet IP]" to the PIX at Office B.  Still cannot ping across from A to C.  I don't have any routes added to the PIX at Office A (mainly because I don't know what that would look like thru the VPN) and the access list at Office A does not reflect an entry that looks like an entry created by the site-to-site VPN wizard ("access-list outside_cryptomap_20 permit ip").  When I tried to add "access-list o_c_20 permit ip office A netmask office C netmask" the VPN tunnel died between A and B (however, we were experiencing intermittent problems with Internet access at office B at this time and these problems have since been resolved, so the VPN could have died for another reason).  What am I missing??
1 Solution
So you have the following setup:

Office A ------------ipsec tunnel------Office B------T1 Line------Office C

I will use the following variable to explain to you what you need.

a) Office A internal network ---
b) Office B internal network ---
c) Office C internal network ---
d) Office A public IP ---
e) Office A public IP ---
f) T1 Router ----

You need the following:

1) A static route on Office B for Office C subnet pointing back to the T1 router:

route inside

2) On Office C, make sure you have a route for Office A internal network pointing back to the direction of the Office B, either on the T1 router or somewhere else depending on your topology. This is only necessary if Office C gets its internet access differently from Office B.

3) You have to modify the interesting traffic on both Office A and Office B

For Office A:

access-list 100 permit ip
access-list 100 permit ip
crypto map toOfficeB 10 ipsec-isakmp
crypto map toOfficeB 10 match address 100
crypto map toOfficeB 10 set transform-set 3des
crypto map toOfficeB 10 set peer
crypto map toOfficeB interface outside

For Office B:

access-list 120 permit ip
access-list 120 permit ip
crypto map toOfficeA 10 ipsec-isakmp
crypto map toOfficeA 10 match address 120
crypto map toOfficeA 10 set transform-set 3des
crypto map toOfficeA 10 set peer
crypto map toOfficeA interface outside

4) You have to modify the access-list for NAT 0

For office A

access-list nonat permit ip
access-list nonat permit ip
nat (inside) 0 access-list nonat

For office B

access-list nonat permit ip
access-list nonat permit ip
nat (inside) 0 access-list nonat

Let me know if you have any question.

cisco_scrubAuthor Commented:
That did the trick!!  I am now able to ping across from Office A to Office C, thanks stressedout!!

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now