Mark_er
asked on
VPN can't ping Cisco router/CME over VPN
Hello all,
This is continuation of "Q_23843460".
Please refer to to attached drawing.
The ISP built the VPN to connect the two locations. For now they forget to add the 10.0.3.0 network to the VPN policy so only the 10.0.1.0 to 10.0.2.0 connectivity supposed to work.
Here is the problem: From SITE2 I can ping thru the VPN tunnel, but only the ISP gateway (10.0.2.1) or any of the computers (10.0.2.191 or 10.0.2.30). I can't ping the Cisco 2801 hosting CME (10.0.2.210) or the AIM CUE (10.0.2.10)
When the ISP logs into the SITE1 Router they can locally ping 10.0.2.210.
1. Do I have to change the 2801's config to be "pingable" thru the VPN from the otherside?
2. Do I have to do something extra for the 10.0.3.0 network to be visible from SITE2 assuming the ISP sets up their VPN policy properly?
I attached part of the 2801 config.
This is continuation of "Q_23843460".
Please refer to to attached drawing.
The ISP built the VPN to connect the two locations. For now they forget to add the 10.0.3.0 network to the VPN policy so only the 10.0.1.0 to 10.0.2.0 connectivity supposed to work.
Here is the problem: From SITE2 I can ping thru the VPN tunnel, but only the ISP gateway (10.0.2.1) or any of the computers (10.0.2.191 or 10.0.2.30). I can't ping the Cisco 2801 hosting CME (10.0.2.210) or the AIM CUE (10.0.2.10)
When the ISP logs into the SITE1 Router they can locally ping 10.0.2.210.
1. Do I have to change the 2801's config to be "pingable" thru the VPN from the otherside?
2. Do I have to do something extra for the 10.0.3.0 network to be visible from SITE2 assuming the ISP sets up their VPN policy properly?
I attached part of the 2801 config.
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.2.210 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.3.1 255.255.255.0
no snmp trap link-status
!
interface Service-Engine0/1
ip unnumbered FastEthernet0/0.1
service-module ip address 10.0.2.10 255.255.255.0
service-module ip default-gateway 10.0.2.210
!
interface FastEthernet0/1
shutdown
duplex auto
speed auto
!
interface Serial0/1/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
!
ip default-gateway 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ip route 10.0.2.10 255.255.255.255 Service-Engine0/1
Setup1.jpg
What is the default gateway on the PCs that you can ping at site 1 and the PC and phone at site 2?
ASKER
Default Gateway on the PCs (PC1, PC2) at SITE1 is 10.0.2.1
Default Gateway on the PC (PC3) at SITE2 is 10.0.1.1
I am not sure about the phone at SITE2 but I assume it pulls DHCP from 10.0.1.1 (The phone is not working yet, as we have no IP connectivity to 10.0.3.0 yet...)
Thanks.
Default Gateway on the PC (PC3) at SITE2 is 10.0.1.1
I am not sure about the phone at SITE2 but I assume it pulls DHCP from 10.0.1.1 (The phone is not working yet, as we have no IP connectivity to 10.0.3.0 yet...)
Thanks.
Everything looks fine on your router. Do a "show ip route" and post the output
do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210"
If they both fail do a "ping 10.0.2.1"
do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210"
If they both fail do a "ping 10.0.2.1"
ASKER
sh ip route:
Codes: <snip>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.0.2.10/32 is directly connected, Service-Engine0/1
C 10.0.2.0/24 is directly connected, FastEthernet0/0.1
C 10.0.3.0/24 is directly connected, FastEthernet0/0.10
----------------
"do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210" "
they both failed
"If they both fail do a "ping 10.0.2.1" "
ping 10.0.2.1 succeeds.
Codes: <snip>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.0.2.10/32 is directly connected, Service-Engine0/1
C 10.0.2.0/24 is directly connected, FastEthernet0/0.1
C 10.0.3.0/24 is directly connected, FastEthernet0/0.10
----------------
"do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210" "
they both failed
"If they both fail do a "ping 10.0.2.1" "
ping 10.0.2.1 succeeds.
Notice that even though you have ip route 0.0.0.0 0.0.0.0 10.0.2.1 you don't have a default route.
Try putting in ip route 10.0.1.0 255.255.255.0 10.0.2.1
Try putting in ip route 10.0.1.0 255.255.255.0 10.0.2.1
ASKER
That did it! Now I can ping SITE2 from the router! Let me remotely access the other site (SITE2) to see if it works backwards too.
ASKER
OK It also works from SITE2 now!
Do I need to do anything for the 10.0.3.0 network in the routing table? (The VPN is not yet setup for the 10.0.3.0 network by the ISP.) ?
Thanks!
Do I need to do anything for the 10.0.3.0 network in the routing table? (The VPN is not yet setup for the 10.0.3.0 network by the ISP.) ?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent, as usual.
ASKER
One more question:
What do I need to do to make the 10.0.3.1 interface pingable from the IAD (10.0.2.1) ? The ISP won't do the VPN because they can't see 10.0.3.0 network.
Do they need to set up a 10.0.3.x subinterface on the IAD? With dot1q encapsultion? The Catalyst port that the routers connect to is configured for "router" I assume that means trunking.
Thanks!
What do I need to do to make the 10.0.3.1 interface pingable from the IAD (10.0.2.1) ? The ISP won't do the VPN because they can't see 10.0.3.0 network.
Do they need to set up a 10.0.3.x subinterface on the IAD? With dot1q encapsultion? The Catalyst port that the routers connect to is configured for "router" I assume that means trunking.
Thanks!