VPN can't ping Cisco router/CME over VPN

Hello all,

This is continuation of "Q_23843460".

Please refer to to attached drawing.

The ISP built the VPN to connect the two locations.  For now they forget to add the 10.0.3.0 network to the VPN policy so only the 10.0.1.0 to 10.0.2.0 connectivity supposed to work.

Here is the problem: From SITE2 I can ping thru the VPN tunnel, but only the ISP gateway (10.0.2.1) or any of the computers (10.0.2.191 or 10.0.2.30).  I can't ping the Cisco 2801 hosting CME (10.0.2.210) or the AIM CUE (10.0.2.10)

When the ISP logs into the SITE1 Router they can locally ping 10.0.2.210.  

1. Do I have to change the 2801's config to be "pingable" thru the VPN from the otherside?  
2. Do I have to do something extra for the 10.0.3.0 network to be visible from SITE2 assuming the ISP sets up their VPN policy properly?  

I attached part of the 2801 config.

interface FastEthernet0/0                                                      
no ip address                                                                  
speed 100                                                                      
full-duplex                                                                    
!                                                                              
interface FastEthernet0/0.1                                                    
encapsulation dot1Q 1 native                                                  
ip address 10.0.2.210 255.255.255.0                                      
no snmp trap link-status                                                      
!                                                                              
interface FastEthernet0/0.10                                                    
encapsulation dot1Q 10                                                        
ip address 10.0.3.1 255.255.255.0                                              
no snmp trap link-status                                                      
!                                                                              
interface Service-Engine0/1                                                    
ip unnumbered FastEthernet0/0.1                                                
service-module ip address 10.0.2.10 255.255.255.0                        
service-module ip default-gateway 10.0.2.210                              
!                                                                              
interface FastEthernet0/1                                                      
shutdown                                                  
duplex auto                                                                    
speed auto                                                                    
!                                                                              
interface Serial0/1/0:23                                                        
no ip address                                                                  
encapsulation hdlc                                                            
isdn switch-type primary-ni                                                    
isdn incoming-voice voice                                                      
no cdp enable                                                                  
!                                                                              
ip default-gateway 10.0.2.1                                           
ip route 0.0.0.0 0.0.0.0 10.0.2.1                                
ip route 10.0.2.10 255.255.255.255 Service-Engine0/1

Open in new window

Setup1.jpg
Mark_erAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkepfordCommented:
What is the default gateway on the PCs that you can ping at site 1 and the PC and phone at site 2?
0
Mark_erAuthor Commented:
Default Gateway on the PCs (PC1, PC2) at SITE1 is 10.0.2.1

Default Gateway on the PC (PC3) at SITE2 is 10.0.1.1

I am not sure about the phone at SITE2 but I assume it pulls DHCP from 10.0.1.1 (The phone is not working yet, as we have no IP connectivity to 10.0.3.0 yet...)


Thanks.
0
bkepfordCommented:
Everything looks fine on your router. Do a "show ip route" and post the output
do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210"
If they both fail do a "ping 10.0.2.1"
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Mark_erAuthor Commented:
sh ip route:

Codes: <snip>

Gateway of last resort is not set

         10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S           10.0.2.10/32 is directly connected, Service-Engine0/1
C           10.0.2.0/24 is directly connected, FastEthernet0/0.1
C           10.0.3.0/24 is directly connected, FastEthernet0/0.10

----------------

"do a "ping 10.0.1.1" from your 2801 and then do another "ping 10.0.1.1 source 10.0.2.210" "

they both failed

"If they both fail do a "ping 10.0.2.1" "

ping 10.0.2.1 succeeds.
0
bkepfordCommented:
Notice that even though you have ip route 0.0.0.0 0.0.0.0 10.0.2.1 you don't have a default route.
Try putting in ip route 10.0.1.0 255.255.255.0 10.0.2.1
0
Mark_erAuthor Commented:
That did it! Now I can ping SITE2 from the router! Let me remotely access the other site (SITE2) to see if it works backwards too.
0
Mark_erAuthor Commented:
OK It also works from SITE2 now!

Do I need to do anything for the 10.0.3.0 network in the routing table? (The VPN is not yet setup for the 10.0.3.0 network by the ISP.) ?

Thanks!
0
bkepfordCommented:
No the ISP should have a route in their routers that point to 10.0.2.210. You are covered as you only need to know how to get to 10.0.1.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark_erAuthor Commented:
Excellent, as usual.
0
Mark_erAuthor Commented:
One more question:

What do I need to do to make the 10.0.3.1 interface pingable from the IAD (10.0.2.1) ? The ISP won't do the VPN because they can't see 10.0.3.0 network.
Do they need to set up  a 10.0.3.x subinterface on the IAD? With dot1q encapsultion?  The Catalyst port that the routers connect to is configured for "router" I assume that means trunking.

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.