[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1129
  • Last Modified:

VPN can't ping Cisco router/CME over VPN

Hello all,

This is continuation of "Q_23843460".

Please refer to to attached drawing.

The ISP built the VPN to connect the two locations.  For now they forget to add the 10.0.3.0 network to the VPN policy so only the 10.0.1.0 to 10.0.2.0 connectivity supposed to work.

Here is the problem: From SITE2 I can ping thru the VPN tunnel, but only the ISP gateway (10.0.2.1) or any of the computers (10.0.2.191 or 10.0.2.30).  I can't ping the Cisco 2801 hosting CME (10.0.2.210) or the AIM CUE (10.0.2.10)

When the ISP logs into the SITE1 Router they can locally ping 10.0.2.210.  

1. Do I have to change the 2801's config to be "pingable" thru the VPN from the otherside?  
2. Do I have to do something extra for the 10.0.3.0 network to be visible from SITE2 assuming the ISP sets up their VPN policy properly?  

I attached part of the 2801 config.

interface FastEthernet0/0                                                      
no ip address                                                                  
speed 100                                                                      
full-duplex                                                                    
!                                                                              
interface FastEthernet0/0.1                                                    
encapsulation dot1Q 1 native                                                  
ip address 10.0.2.210 255.255.255.0                                      
no snmp trap link-status                                                      
!                                                                              
interface FastEthernet0/0.10                                                    
encapsulation dot1Q 10                                                        
ip address 10.0.3.1 255.255.255.0                                              
no snmp trap link-status                                                      
!                                                                              
interface Service-Engine0/1                                                    
ip unnumbered FastEthernet0/0.1                                                
service-module ip address 10.0.2.10 255.255.255.0                        
service-module ip default-gateway 10.0.2.210                              
!                                                                              
interface FastEthernet0/1                                                      
shutdown                                                  
duplex auto                                                                    
speed auto                                                                    
!                                                                              
interface Serial0/1/0:23                                                        
no ip address                                                                  
encapsulation hdlc                                                            
isdn switch-type primary-ni                                                    
isdn incoming-voice voice                                                      
no cdp enable                                                                  
!                                                                              
ip default-gateway 10.0.2.1                                           
ip route 0.0.0.0 0.0.0.0 10.0.2.1                                
ip route 10.0.2.10 255.255.255.255 Service-Engine0/1

Open in new window

Setup1.jpg
0
Mark_er
Asked:
Mark_er
  • 6
  • 4
1 Solution
 
bkepfordCommented:
What is the default gateway on the PCs that you can ping at site 1 and the PC and phone at site 2?
0
 
Mark_erAuthor Commented:
Default Gateway on the PCs (PC1, PC2) at SITE1 is 10.0.2.1

Default Gateway on the PC (PC3) at SITE2 is 10.0.1.1

I am not sure about the phone at SITE2 but I assume it pulls DHCP from 10.0.1.1 (The phone is not working yet, as we have no IP connectivity to 10.0.3.0 yet...)


Thanks.
0
 
bkepfordCommented:
Everything looks fine on your router. Do a "show ip route" and post the output
do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210"
If they both fail do a "ping 10.0.2.1"
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
Mark_erAuthor Commented:
sh ip route:

Codes: <snip>

Gateway of last resort is not set

         10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S           10.0.2.10/32 is directly connected, Service-Engine0/1
C           10.0.2.0/24 is directly connected, FastEthernet0/0.1
C           10.0.3.0/24 is directly connected, FastEthernet0/0.10

----------------

"do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210" "

they both failed

"If they both fail do a "ping 10.0.2.1" "

ping 10.0.2.1 succeeds.
0
 
bkepfordCommented:
Notice that even though you have ip route 0.0.0.0 0.0.0.0 10.0.2.1 you don't have a default route.
Try putting in ip route 10.0.1.0 255.255.255.0 10.0.2.1
0
 
Mark_erAuthor Commented:
That did it! Now I can ping SITE2 from the router! Let me remotely access the other site (SITE2) to see if it works backwards too.
0
 
Mark_erAuthor Commented:
OK It also works from SITE2 now!

Do I need to do anything for the 10.0.3.0 network in the routing table? (The VPN is not yet setup for the 10.0.3.0 network by the ISP.) ?

Thanks!
0
 
bkepfordCommented:
No the ISP should have a route in their routers that point to 10.0.2.210. You are covered as you only need to know how to get to 10.0.1.0
0
 
Mark_erAuthor Commented:
Excellent, as usual.
0
 
Mark_erAuthor Commented:
One more question:

What do I need to do to make the 10.0.3.1 interface pingable from the IAD (10.0.2.1) ? The ISP won't do the VPN because they can't see 10.0.3.0 network.
Do they need to set up  a 10.0.3.x subinterface on the IAD? With dot1q encapsultion?  The Catalyst port that the routers connect to is configured for "router" I assume that means trunking.

Thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now