We help IT Professionals succeed at work.

Need Configuration Assistance - Can't Seem to Get the VPN Working

chunjo
chunjo asked
on
806 Views
Last Modified: 2011-10-19
I have a Hub Router that is configured to be the primary DMVPN that talks to other spoke routers.  I was able to get the tunnel working from the Hub to the Spoke and vice versa.  The fix was adding a static route to point to the tunnel interface.  Would it be possible to make configuration changes on the primary DMVPN router only instead of making changes to all of my spoke routers?  Also, from the spoke routers if I change the static route to point to the tunnel interface would they be able to communicate to access the internet as well?

2821 Router (Primary DMVPN)
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2821
!
boot-start-marker
boot system flash flash:c2800nm-advipservicesk9-mz.124-10b.bin
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging buffered 51200 warnings
no logging console
enable secret 5 $1$TFNT$LIV7qzTmwky9.GeFjfLlb/
!
aaa new-model
!
!
aaa authentication login VTY local
aaa authentication login CON local
aaa authentication login REMOTE local
aaa authorization network VPNCLIENT local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip dhcp database url timeout 60
!
!
no ip bootp server
no ip domain lookup
ip domain name CCBQ.org
ip name-server 4.2.2.1
ip ssh time-out 60
ip inspect name INET tcp alert off audit-trail on
ip inspect name INET udp alert off audit-trail on
ip inspect name INET icmp alert off audit-trail on
ip urlfilter exclusive-domain deny www.myspace.com
ip urlfilter audit-trail
ip urlfilter server vendor n2h2 www.myspace.com outside
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2748599135
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2748599135
 revocation-check none
 rsakeypair TP-self-signed-2748599135
!
!
crypto pki certificate chain TP-self-signed-2748599135
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373438 35393931 3335301E 170D3037 30333331 31363430
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37343835
  39393133 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C7F6 60544E09 D756045B 0219ED6B 1DA5EF7C 61370654 E45B5944 94C512A0
  E867305A 4D8DF460 C6A25B9E 629739D9 18A96E37 107D0DA5 85E99000 446A87DD
  7C6302B0 042A6684 447C69FD 5955D525 F883A063 60373435 2FAD22B4 546E23EE
  203757B2 57B409E7 5C272B93 93B4D64E 328B84DD 82363243 0552D646 CB4F3886
  A8FD0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 12434342 515F3238 32312E43 4342512E 6F726730 1F060355
  1D230418 30168014 00FF5A04 25652982 46A3B455 9599E646 39BDD6DC 301D0603
  551D0E04 16041400 FF5A0425 65298246 A3B45595 99E64639 BDD6DC30 0D06092A
  864886F7 0D010104 05000381 8100155C 4477F774 B7BA63F1 0D8A21A1 0C102212
  183D664D C3950C5D 0943A1BF 1C7C3919 5AF64F79 C8269247 C1F8B44D BCBB73EC
  C3415CB6 8614F81D 4D78A29D D1D5601B 1673930C 739F4858 8AE27AC1 4E1F8DC5
  297C7568 67622F5B D5895A02 F7D1FD23 388DAE55 8A02FB7B 541A0530 613FEBD3
  2CC600E8 9C15DFFC A4BA12B7 6A6F
  quit
username XXXX privilege 15 secret 5 $1$eIfj$wd6o7fYXVrG/vtQFGiTUh0
 
!
crypto keyring XXXXXX
  pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXXX
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group XXXXX
 key XXXXXX
 dns 192.168.1.2
 domain ccbq.org
 pool REMOTE
crypto isakmp profile DMVPN
   keyring XXXXXXX
   match identity address 0.0.0.0
crypto isakmp profile ccbq-vpn-client
   match identity group ccbq-vpn
   client authentication list REMOTE
   isakmp authorization list VPNCLIENT
   client configuration address respond
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
 set transform-set ccbq-set
 set isakmp-profile DMVPN
!
!
crypto dynamic-map ccbq-dyn 10
 set transform-set ccbq-set
 set isakmp-profile ccbq-vpn-client
!
!
crypto map ccbq-map 10 ipsec-isakmp dynamic ccbq-dyn
!
!
!
!
interface Loopback128
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface Tunnel255
 description Connection to Primary DMVPN
 bandwidth 4632
 ip address 192.168.255.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1416
 ip nbar protocol-discovery
 ip nat inside
 ip nhrp authentication ccbqn#rp
 ip nhrp map multicast dynamic
 ip nhrp network-id 255
 ip nhrp holdtime 300
 ip virtual-reassembly
 ip route-cache flow
 no ip split-horizon eigrp 255
 tunnel source Multilink1
 tunnel mode gre multipoint
 tunnel key 255
 tunnel protection ipsec profile ccbq-profile
 hold-queue 1024 in
!
interface Null0
 no ip unreachables
!
interface Multilink1
 description WAN Connection$FW_OUTSIDE$
 ip address X.X.X.X 255.255.255.252
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip mroute-cache
 no cdp enable
 ppp multilink
 ppp multilink group 1
 crypto map ccbq-map
!
interface GigabitEthernet0/0
 description connected to CCBQ Internal LAN$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.19 255.255.254.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1350
 ip policy route-map clear-df
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface GigabitEthernet0/1
 description connect to CCBQ Interal LAN$FW_ETH0/2$
 ip address 192.168.192.1 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 ip policy route-map clear-df
 shutdown
 duplex full
 speed 100
 no cdp enable
 no mop enabled
!
interface Serial0/0/0
 bandwidth 4632
 no ip address
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 bandwidth 4632
 no ip address
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/0
 bandwidth 4632
 no ip address
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/3/0
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 shutdown
 no fair-queue
 service-module t1 timeslots 1-24
 no cdp enable
!
router eigrp 255
 redistribute static
 passive-interface GigabitEthernet0/0
 network 172.168.0.0
 network 192.168.1.0
 network 192.168.0.0 0.0.1.255
 network 192.168.255.0
 network 192.168.0.0 0.0.255.255
 no auto-summary
!
ip local pool REMOTE 192.168.252.1 192.168.252.254
ip forward-protocol udp 5120
ip route 0.0.0.0 0.0.0.0 64.115.135.169
ip route 66.200.154.167 255.255.255.255 64.115.135.169
ip route 67.100.227.128 255.255.255.255 64.115.135.169
ip route 192.168.0.16 255.255.255.255 GigabitEthernet0/0
!
ip flow-capture packet-length
ip flow-capture icmp
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
 top 10
 sort-by packets
!
no ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map NAT interface Multilink1 overload
!
ip access-list extended TELNET
 permit tcp any any eq telnet
!
logging trap debugging
logging 192.168.1.13
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 63.117.181.64 0.0.0.63
access-list 2 permit 0.0.0.0
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.1.255
access-list 3 deny   any
access-list 100 permit tcp any any eq telnet
access-list 100 deny   ip 64.69.124.128 0.0.0.15 any
access-list 100 deny   ip 64.69.124.144 0.0.0.15 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 permit icmp any any
access-list 100 permit tcp any host 64.69.124.129 established
access-list 100 permit tcp any host 64.69.124.130 established
access-list 100 permit esp any any
access-list 100 permit gre any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit tcp any host 64.69.124.129 eq 22
access-list 100 permit tcp any host 64.69.124.130 eq 22
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit udp host 128.118.46.3 host 64.69.124.129 eq ntp
access-list 100 permit tcp any any eq 5120
access-list 100 deny   tcp any eq www host 64.69.124.129
access-list 100 deny   ip any any
access-list 101 deny   ip host 192.168.1.255 any
access-list 101 deny   ip host 192.168.20.255 any
access-list 101 deny   ip any 192.168.0.0 0.0.255.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip host 192.168.1.91 any
access-list 101 permit ip host 192.168.1.177 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 172.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any eq 25000
access-list 102 permit tcp any eq 25000 any
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any host 64.115.135.170 eq smtp log
access-list 102 permit tcp host 192.168.1.3 host 192.168.0.8 eq smtp
access-list 102 permit tcp host 192.168.0.8 host 192.168.1.3 eq smtp
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.1.255 any
access-list 103 deny   ip any any
access-list 199 permit tcp any host 192.168.1.3 eq smtp
snmp-server community <removed> RO
snmp-server community ccbq_ro RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps voice fallback
snmp-server enable traps dnis
snmp-server host 192.168.1.6 <removed>
snmp-server host 192.168.1.6 ccbq_ro
no cdp run
!
route-map static2eigrp permit 10
 match ip address 1 2
!
route-map clear-df permit 10
 match ip address 102
 set ip df 0
!
route-map NAT permit 10
 match ip address 101
!
route-map VPNINET permit 10
 match ip address 102
 set ip next-hop 192.168.1.5
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 login authentication CON
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 exec-timeout 60 0
 privilege level 15
 login authentication VTY
 transport input telnet ssh
line vty 5 15
 exec-timeout 60 0
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authentication-key 100 md5 12181103130807 7
ntp trusted-key 100
ntp clock-period 17180173
ntp source GigabitEthernet0/0
ntp master 6
ntp server 192.168.1.6
ntp server 128.118.46.3
!
end
2821#

Spoke Router

version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 32565 warnings
no logging console
enable secret XXXXXXXX
!
username XXXX privilege 15 secret XXXXXXXX
clock timezone EST -5
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.130.1 192.168.130.120
!
ip dhcp pool XXXXXX
   network 192.168.130.0 255.255.255.0
   dns-server 192.168.1.2 4.2.2.1
   default-router 192.168.130.1
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXX
ip name-server 64.105.124.254
ip name-server 4.2.2.1
ip inspect name INET udp
ip inspect name INET tcp
ip inspect name INET icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key XXXXXX address 64.115.135.170 no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
 set transform-set ccbq-set
!
!
!
!
interface Tunnel255
 description Connection to Primary DMVPN
 bandwidth 1536
 ip address 192.168.255.130 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication XXXXXXX
 ip nhrp map multicast XXXXXX
 ip nhrp map 192.168.255.1 XXXXXXXXX
 ip nhrp network-id 255
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.255.1
 ip virtual-reassembly
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 255
 tunnel protection ipsec profile ccbq-profile
 hold-queue 1024 in
!
interface Ethernet0
 description connected site LAN
 ip dhcp client lease 2 0 0
 ip address 192.168.130.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1
 description Internet Interface
 ip address XXXXXXX 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip inspect INET out
 ip virtual-reassembly
 duplex auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
router eigrp 255
 network 192.168.0.0 0.0.255.255
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.61.161.57 200
ip route 192.168.0.0 255.255.0.0 tunn255
!
ip http server
no ip http secure-server
!
ip nat inside source route-map NAT interface Ethernet1 overload
!
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq ntp
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any eq non500-isakmp any eq non500-isakmp
access-list 100 deny   ip any any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 66.200.154.160 0.0.0.15
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.200 0.0.0.4
access-list 102 permit ip 192.168.0.0 0.0.255.255 64.69.124.128 0.0.0.31
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.168 0.0.0.4
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
snmp-server community ccbq_ro RO
!
route-map NAT permit 10
 match ip address 101
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport preferred ssh
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179897
ntp server 128.118.46.3
end

831#
Comment
Watch Question

Author

Commented:
I spoke to Cisco TAC and they told me that I should be able to make changes on the Primary DMVPN router and not make any changes on the spoke routers, however I didn't get a response from them yet.

Author

Commented:
I know if the EIGRP neighbors are established I don't have to add the static route, however I'm still not able to get the Spoke router to communicate to communicate with my inside LAN throught the Hub router.  I was told I don't need to add a static route.  Still curious why it doesn't work.
Top Expert 2008

Commented:
It looks like you need to add
access-list 101 deny 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
to your hub router it looks like traffic is being NATed that should be pushed down the tunnel. You have that entry on your spoke so it probably works
 
Top Expert 2008

Commented:
nevermind saw this
access-list 101 deny ip any 192.168.0.0 0.0.255.255
I was staring at the screen so long I guess I went a little cross eyed
Top Expert 2008

Commented:
You have an access list 102 on your internal interface do a "debug ip packet 102" and then try and see if the access-list is denying return traffic
Top Expert 2008

Commented:
nevermind it is an inside rule that has a  permit ip 192.168.0.0 0.0.255.255 any which should allow all traffic going out.
You say your tunnel is coming up from router to router but LAN to LAN you have a problem?

Author

Commented:
I found the issue, I have a ASA5510 that is behind the 2821 router which filters all internet and VPN traffic.  I had to added and modify the following:

router eigrp 255
 redistribute ospf 100 metric 1000 100 255 1 1500
 passive-interface GigabitEthernet0/1
  network 192.168.1.0
 network 192.168.0.0 0.0.1.255
 network 192.168.255.0
 network 192.168.0.0 0.0.255.255
 no auto-summary

router ospf 100
 log-adjacency-changes
 network 192.168.192.0 0.0.0.255 area 0

This resolves 95% of the problem.  The other 10% now my email server is seems slow.  For some reason I can't ping from the spoke router to my email server which is behind ASA5510.

Author

Commented:
However, the other 5% (typo) maybe minor issues.  I'm able to ping 192.168.1.3 from the spoke's LAN to ASA5510 LAN but not able to ping from the spoke router to 192.168.1.3.  Any ideas?
Top Expert 2008

Commented:
You have specify an interface it is probably using the internet interface of the router try
ping 192.168.1.3 /source Ethernet0
 

Author

Commented:
Thanks that worked, I am able to ping from my spoke sites to 192.168.1.3.
I had to change routing table on the PCs and Servers on my LAN to talk to the spoke sites.

After the implemenation, I now have all my LAN devices access ISP1 for internet and ISP2 for VPN.  This is still a problem for me because before the implementation I was sharing 2 gateways to access the internet (connections to ISP1 and ISP2), now I'm only able to connect to ISP1 for internet.  With the new setup I'm not able to change the modify gateways because all of the devices have a 192.168.1.5 as their gateway.  I know I can't load balance on the ASA.  Any suggestions please advise.

Slide2.JPG
Top Expert 2008

Commented:
What kind of ISPs do you have and what interfaces are they handing you (Ethernet or T1)? What did you have to change for the vpn to work? How were you load balancing before?

Author

Commented:
ISP1 is connected to ASA interface fa0/0 which is connected to a T1 connection.  ISP2 is connected on the 2821 Router Serial 0/0/0, 0/1/0, 0/2/0 which is multilinked (3) T1.  

Before doing the migration, 2821 router was directly connected to my LAN switch and the ASA was also connected to the same LAN switch.  They both have their own gateways, thus I was able to physically have PCs and Servers use both gateways which was on a 192.168.0.0 /23.

After the migration, all the devices are behind the ASA and I'm not able to have same network segment on more than 1 interface on the ASA which bring me back to the drawing board.  I really need to use some of the ISP2 bandwidth because it's choking the ISP1 connection.  Please advise.

Author

Commented:
Here is the Original Network Topology.
Slide1.jpg
Top Expert 2008

Commented:
Can you attach ISP1 to the 2821? It should have a spare FastEthernet port. I would then policy route on the 2821. That way you still get the protection of your ASA but it sends all traffic to the router and lets the router decide. In that kind of setup you may want to run the ASA in transparent mode instead of routed.
Here is an example of policy routing
http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057660

Author

Commented:
Unfortunately, I can't set the ASA as transparent mode because it's natting our servers.  Is there a way to redirect traffic to the 2821.  If I can redirect VPN traffic to ISP2, then why can't I do the same for internet traffic.  

Is it possible to forward internet traffic on VPN_TRAFFIC?

 
CCBQ-FW(config)# int ethernet 0/2
CCBQ-FW(config-if)# ip address 192.168.192.2 255.255.254.0 
CCBQ-FW(config-if)# nameif VPN_TRAFFIC
CCBQ-FW(config-if)# security-level 50 
CCBQ-FW(config-if)# no shut 
 
access-list nonat permit ip 192.168.0.0 255.255.0.0
nat (inside) 0 access-l nonat
route VPN_Traffic 192.168.0.0 255.255.0.0 192.168.192.1 
same-security-traffic permit inter-interface 
 
 
CCBQ2821#config t
CCBQ2821(config)#int gi0/0
CCBQ2821(config-if)#ip address 192.168.192.1 255.255.254.0
CCBQ2821(config-if)#exit
CCBQ2821(config)#ip route 192.168.0.0 255.255.254.0 192.168.192.2

Open in new window

Top Expert 2008

Commented:
I'm not sure what IOS load you have on your router but if you can do a VPN you can do NAT on the 2821 as well  

Author

Commented:
Is there a way to perform NAT on the ASA to that will route 192.168.0.0 /23 to 192.168.192.1 (2821 Router).  The ASA has a persistant route statement that points all traffic to 69.38.228.97 which is the outside interface of the ASA.  

route outside 0.0.0.0 0.0.0.0 69.38.228.97 1

would it be possible to add another route statement:

route outside 192.168.0.0 0.0.255.255 64.115.1135.170 1

I was told this wasn't possible.  Is there any other way of performing this?
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I had to to perform following to resolve the issue:

1.  Router is in front of the ASA.
2. Configure OSPF on the router and ASA.
3.  redistribution EIGRP to OSPF on the router and configure OSPF.
 

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.