EZvpn routing between subnets is one way between UC520 and 877

I have a Cisco UC520 that is acting as the EZvpn Server (A). On the other side of town I have a Cisco 877, that is acting as a client in network-extension mode (B).  Currently the VPN session is up, but I am having routing issues.

A can ping hosts on B, and can access hosts on B using Remote Desktop.
B router can ping the real world, but cannot ping anything on A.
B hosts cannot ping the real world, or anything on A.
 
I need to get it to the point where A<->B can pass data back and forth, and to where B hosts can get to the real world.

Here are the relevent lines from the configs.


Router A - UC520
----------------------
Current configuration : 35111 bytes
!
version 12.4
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
!
hostname UC520
!
boot-start-marker
boot system flash uc500-advipservicesk9-mz.124-20.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-1182958341
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1182958341
 revocation-check none
 rsakeypair TP-self-signed-1182958341
!
!
crypto pki certificate chain TP-self-signed-1182958341
 certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  5D7ED5E4 EA4CB2B5 29DA3B58 DD85D3A2 0846C61F 8DFEEF18 6A4378CE A8929E01 BC
        quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
   dns-server 4.2.2.1 63.203.35.55
!
ip dhcp pool data
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 4.2.2.1 199.72.1.1 63.203.35.55
   domain-name SOUND.local
!
!
ip name-server 4.2.2.1
ip name-server 199.72.1.1
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
no ipv6 cef
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
multilink bundle-name authenticated
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 sip
  no update-callerid
!
!
voice class codec 1
 codec preference 1 g711ulaw bytes 160
 codec preference 2 g729r8 bytes 20
!
!
!
<SKIP PHONE RELATED MATERIALS>

!
voice-card 0
 no dspfarm
!
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
username remoteusername password 0 remotepassword
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
 key expertsexchange
 dns 4.2.2.1 199.72.1.1
 wins 192.168.1.160
 domain SOUND.local
 pool EZVPN_POOL_1
 acl 105
 save-password
 include-local-lan
 max-users 10
!
!
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP_AES_SHA ESP_3DES_SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 10.1.10.2 255.255.255.252
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description $ETH-WAN$
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Integrated-Service-Engine0/0
 description cue is initialized with default IMAP group
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/1
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/2
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/3
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/4
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/5
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/6
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/7
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/8
 switchport mode trunk
 macro description cisco-switch
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Vlan100
 description $FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname me@isp.net
 ppp chap password 7 XXXXXXXXXXXXX
 ppp pap sent-username me@isp.net password 7 XXXXXXXXXXXXX
 crypto map SDM_CMAP_1
!
ip local pool EZVPN_POOL_1 192.168.200.10 192.168.200.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 10.10.10.0 255.255.255.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny   ip 10.1.10.0 0.0.0.3 any
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host 192.168.200.10 any
access-list 104 permit ip host 192.168.200.11 any
access-list 104 permit ip host 192.168.200.12 any
access-list 104 permit ip host 192.168.200.13 any
access-list 104 permit ip host 192.168.200.14 any
access-list 104 permit ip host 192.168.200.15 any
access-list 104 permit ip host 192.168.200.16 any
access-list 104 permit ip host 192.168.200.17 any
access-list 104 permit ip host 192.168.200.18 any
access-list 104 permit ip host 192.168.200.19 any
access-list 104 permit ip host 192.168.200.20 any
access-list 104 permit ip host 192.168.200.21 any
access-list 104 permit ip host 192.168.200.22 any
access-list 104 permit ip host 192.168.200.23 any
access-list 104 permit ip host 192.168.200.24 any
access-list 104 permit ip host 192.168.200.25 any
access-list 104 permit ip host 192.168.200.26 any
access-list 104 permit ip host 192.168.200.27 any
access-list 104 permit ip host 192.168.200.28 any
access-list 104 permit ip host 192.168.200.29 any
access-list 104 permit ip host 192.168.200.30 any
access-list 104 permit tcp any any established
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit tcp any any eq 1723
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit gre any any
access-list 104 permit udp any eq domain any
access-list 104 permit tcp any any eq www
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip any host 192.168.200.10
access-list 105 deny   ip any host 192.168.200.11
access-list 105 deny   ip any host 192.168.200.12
access-list 105 deny   ip any host 192.168.200.13
access-list 105 deny   ip any host 192.168.200.14
access-list 105 deny   ip any host 192.168.200.15
access-list 105 deny   ip any host 192.168.200.16
access-list 105 deny   ip any host 192.168.200.17
access-list 105 deny   ip any host 192.168.200.18
access-list 105 deny   ip any host 192.168.200.19
access-list 105 deny   ip any host 192.168.200.20
access-list 105 deny   ip any host 192.168.200.21
access-list 105 deny   ip any host 192.168.200.22
access-list 105 deny   ip any host 192.168.200.23
access-list 105 deny   ip any host 192.168.200.24
access-list 105 deny   ip any host 192.168.200.25
access-list 105 deny   ip any host 192.168.200.26
access-list 105 deny   ip any host 192.168.200.27
access-list 105 deny   ip any host 192.168.200.28
access-list 105 deny   ip any host 192.168.200.29
access-list 105 deny   ip any host 192.168.200.30
access-list 105 permit ip 10.1.10.0 0.0.0.3 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!

+++++++++++++++++++++++++++++++++++++++++

877 - Site B
--------------



!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 XXXXXXXXXXXXX

no aaa new-model
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-3394950481
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3394950481
 revocation-check none
 rsakeypair TP-self-signed-3394950481
!
!
crypto pki certificate chain TP-self-signed-3394950481
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  EDF64CAB C36DBBF7 6DEC769B BFE4EB7F 219F4D30 72EF32FD B39E77A9 ECE58D25
  5B3411B9 EDFAB9BC 0F1C8518 AEC739
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 4.2.2.1 199.72.1.1
   option 150 ip 10.1.1.1
   domain-name SOUND.local
   lease 0 2
!
ip dhcp pool SALESTERM
   host 10.10.10.150 255.255.255.0
   client-identifier 0100.0f1f.4543.5a
   client-name SALESTERM
   default-router 10.10.10.1
   dns-server 4.2.2.1 199.72.1.1 4.2.2.4
   netbios-name-server 192.168.1.160
   lease infinite
!
!
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 XXXXXXXXXXXX
username remoteusername password 7 remotepassword
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
 connect auto
 group EZVPN_GROUP_1 key expertsexchange
 mode network-extension
 peer 20.21.22.23
 username remoteusername password remotepassword
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname them@isp.net
 ppp chap password 7 XXXXXXXXXXXXxxxxxxxxx
 ppp pap sent-username them@isp.net password 7 XXXXXXXXXXXXXX
 ppp ipcp dns request
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface BVI1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 20.21.22.23
ip route 10.1.10.0 255.255.255.0 20.21.22.23
ip route 192.168.1.0 255.255.255.0 20.21.22.23
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.150 3389 interface Dialer0 3389
ip nat inside source static udp 10.10.10.150 3389 interface Dialer0 3389
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_11##
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000)

EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp)

EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit esp host 20.21.22.23 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit ahp host 20.21.22.23 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any eq 3389
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17174984
ntp server 17.151.16.23 prefer
end





--------------------------------
aalbert69Asked:
Who is Participating?
 
wingateslConnect With a Mentor Commented:
My suggestion would be to go away from the normal VPN connection and configure a DMVPN between the sites. This is a routed connection and will eliminate you problems and any potential problems if your solution grows. The DMVPN setup is almost the same as the EZVPN, the exception is you configure a tunnel interface on each side and set up a dynamic routing protocol. The SDM makes it pretty easy. Save the EZVPN for the Road Warriors.
Shawn
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.