Solved

Cisco 2600 Routing Issue

Posted on 2006-06-20
6
360 Views
Last Modified: 2010-03-19
I have a site to site VPN between two 2600 routers (main office and satellite office) and the tunnel works fine and without error.  However, the clients behind the 2600 router at the satellite office cannot get on the internet.  The config was written by the gentlemen who worked there before me, and I have spent three days working on it.  If I add to the access list I can get them on the internet but it interferes with vpn traffic.  I have posted the config below for comments and review:

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname OLDFORT
!
enable secret 5 $1$uwpD$RGCoeqdRUylMtq1MdlIBq1
!
ip subnet-zero
ip name-server XXX.XXX.XXX.XXX
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key password address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set metro esp-des esp-md5-hmac
!
!
crypto map metro 10 ipsec-isakmp  
 set peer XXX.XXX.XXX.XXX
 set transform-set metro
 match address 130
!
!
!
!
interface Ethernet0/0
 ip address XXX.XXX.XXX.XXX 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 crypto map metro
 bridge-group 1
!
interface Ethernet0/1
 ip address 192.168.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 bridge-group 1
!
router rip
 redistribute connected
 network 192.165.0.0
 network 192.168.10.0
 network 216.153.232.0
!
ip default-gateway XXX.XXX.XXX.XXX
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.10.200 4662 XXX.XXX.XXX.XXX 4662 extendable
ip nat inside source static udp 192.168.10.200 8465 XXX.XXX.XXX.XXX 8465 extendable
ip nat inside source static tcp 192.168.10.200 3389 XXX.XXX.XXX.XXX 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
!
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
route-map nonat permit 10
 match ip address 100
!
snmp-server community public RO
bridge 1 protocol dec
!
line con 0
 password password
 transport input none
line aux 0
line vty 0 4
 password password
 login
!
end


any assistance would be greatly appreciated as I am totally frustrated.  i will be working on this into the evening tonight.

0
Comment
Question by:jvandeway
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 16947759
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

doesn't look good.

The LAN on this side is 192.168.10.0 / 24, what is it on the other side?

And can you also post the ACL from other router?
0
 

Author Comment

by:jvandeway
ID: 16948175
The lan on the otherside is 192.168.0.0.  Each of the others offices is on a different subnet ie. 192.168.20.x, .30, .40, etc.

Here is the ACL from the primary router.  It is also the main router for several satellite offices VPN connections, all of them using 2600 routers.

Here is the ACL from the main router.

ip classless
ip route 0.0.0.0 0.0.0.0 216.153.239.1
!
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 131 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 132 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 133 permit ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 134 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 135 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 136 permit ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 137 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map nonatrdp permit 10
 match ip address 140
 set ip next-hop 1.1.1.2

Thanks in advance.
0
 

Author Comment

by:jvandeway
ID: 16948194
also, when I add the following to my satellite router:

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

It then lets me on the internet from the inside, but closes my VPN tunnel.  If I am not mistaken, this ACL:

access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

is directing all IP traffic inside of the 192.168.10.0 subnet to go to 192.168.0.0 subnet.  So when I add this ACL:

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

it is then allowing all traffic to go out to the internet?  Maybe I am off a bit, I don't know.

Any and all help is appreciated.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Accepted Solution

by:
naveedb earned 500 total points
ID: 16948251
try this; remove the 100 list you added (if you haven't already)

no access-list 100 permit ip 192.168.20.0 0.0.0.255 any


then add it like this


access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

Let me know if it works

0
 

Author Comment

by:jvandeway
ID: 16948264
IT WORKED, thank you so much.  I think I tried so many different variations of that that I just got frustrated.

I greatly appreaciate it.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16948280
No problem. route-map nonat in your configuration is used to identify traffic for the Internet. Whenever you add traffic to VPN tunnel, you will need to filter it through ACL 100 with a deny statement.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 60
Alcatel Lucent OS6450 switch randomly reboots 4 53
Etherchannel trunking 10 41
How to limit traffic to Netscaler 10.5 VIP 3 24
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now