?
Solved

Routing Problem With Vlan and VPN Through Cisco

Posted on 2009-04-30
27
Medium Priority
?
908 Views
Last Modified: 2012-05-06
Starters my main network is 192.168.1.1 with a cisco 2821, we have a vlan connected to our admin office over point to point fiber which is 192.168.6.1, We 2 VPN tunnels through the cisco  that connect  to symantec gateway 360r routers at the remote sites  with the ip address 192.168.5.1 and 192.168.3.1. From the main 192.168.1.1 site i can connect  to any of the remote subnets, the problem comes in from the admin office with the VLAN  they cannot connect to the 3.1 or 5.1 network, the only subnet the 6.1 can access or ping is the main 192.168.1.1. I need to find out how  to route 6.1 through the cisco at the 1.1 to the 2 remote subnets that are connected  by vpn tunnels. Right now when the 6.1 tries to traffic stops at the 1.1.
0
Comment
Question by:mpousson
  • 14
  • 13
27 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 24279290
Does the main location/vpn allows the 6.1 network to get out?  Is the 6.1 network included in the VPN connection ACL?


0
 

Author Comment

by:mpousson
ID: 24279702
THe 6.1 can get out just fine they are connected to the main network via VLAN over switches  connected by a fiber point to point. I am not sure if the 6.1 is in the ACL i am also not an expert when it comes to cisco I am fairly green.
0
 
LVL 81

Expert Comment

by:arnold
ID: 24279868
you need to run:
show crypto ipsec sa
show cypto isakmp sa.

What you are looking for is to see whether the 192.168.6.x is part of the routing rule set.
i.e. whether the 192.168.6.x is included in the allowed sections of the VPN.

If you look on the remote location, do you have nat (inside) 0 acl
where the acl includes a permit IP 192.168.6.x?
Do you have on the main location the ACL that deals with outgoing VPNs that include the 192.168.6.x?
If you post your configuration on the main site (excluding public IPs, replace those with X.X.X.X and excluding the passphrases,password, these can be replaced with passphrase or passowrd)


0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:mpousson
ID: 24280844
Here is the  show crypto ipsec, now the 6.1 network is connected through point to point fiber using vlan through switches and not the router, it also uses the same wan ip as the main network it is connected to.


interface: GigabitEthernet0/1
    Crypto map tag: mymap, local addr x.x.x.x

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 312, #pkts encrypt: 312, #pkts digest: 312
    #pkts decaps: 260, #pkts decrypt: 260, #pkts verify: 260
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x389EBA93(949926547)

     inbound esp sas:
      spi: 0xFAE25BBA(4209138618)
        transform: esp-des esp-md5-hmac ,
 in use settings ={Tunnel, }
        conn id: 3005, flow_id: NETGX:5, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4591949/3545)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     rmination of show output for identity

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 215923, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 712, #pkts encrypt: 712, #pkts digest: 712
    #pkts decaps: 1179, #pkts decrypt: 1179, #pkts verify: 1179
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x8E4EEBB0(2387536816)

     inbound esp sas:
      spi: 0x31254E52(824528466)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4444187/137)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8E4EEBB0(2387536816)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3007, flow_id: NETGX:7, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4444301/137)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 50725, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227
    #pkts decaps: 7983, #pkts decrypt: 7983, #pkts verify: 7983
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x1C945B27(479484711)

     inbound esp sas:
      spi: 0x17654282(392512130)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3006, flow_id: NETGX:6, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4545494/2894)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1C945B27(479484711)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4545507/2888)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 9694, #pkts encrypt: 9694, #pkts digest: 9694
    #pkts decaps: 9556, #pkts decrypt: 9556, #pkts verify: 9556
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xB2D3EF1C(3000233756)

     inbound esp sas:
      spi: 0xBE22BC46(3189947462)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3012, flow_id: NETGX:12, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4530222/1925)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB2D3EF1C(3000233756)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3008, flow_id: NETGX:8, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4528513/1921)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 46284, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
 

Author Comment

by:mpousson
ID: 24280900
router2821#show crypto isakmp sa
dst             src             state          conn-id slot status
x.x.x.x  x.x.x.x  QM_IDLE             1997    0 ACTIVE
x.x.x.x  x.x.x.x  QM_IDLE             1817    0 ACTIVE
x.x.x.x  x.x.x.x  MM_NO_STATE  1996    0 ACTIVE (deleted)
x.x.x.x  x.x.x.x  MM_NO_STATE  1995    0 ACTIVE (deleted)
x.x.x.x  x.x.x.x  QM_IDLE             1724    0 ACTIVE
x.x.x.x  x.x.x.x  QM_IDLE             1963    0 ACTIVE
0
 
LVL 81

Expert Comment

by:arnold
ID: 24280924
You do not advertise through any of the VPNs that 192.168.6.x is available.
This why the remote locations do not route 192.168.6.x through the VPN
The points of interest are the local ident and remote Ident.  These are the means by which the routers on each end know which IP traffic to route through the VPN.
0
 

Author Comment

by:mpousson
ID: 24280972
Kk is it something i can setup in the cisco or do i need to set it up in the symantecs at the remote locations?
0
 
LVL 81

Expert Comment

by:arnold
ID: 24283345
the cisco's  do you have a match-address directive for vpn?

you have also vpn's that use 192.168.0.0/255.255.0.0 is that on purpose?
0
 

Author Comment

by:mpousson
ID: 24294073
I am a real novice when it comes to ciscos and i did not originally set this one up so i am not sure what the purpose  of 192.168.0.0. I am not sure  about a match address directive.
0
 
LVL 81

Expert Comment

by:arnold
ID: 24295450
I suspect that the two entries might be to allow cross location communication via the VPN. I.e. 192.168.5.x to be able to access 192.168.4.x. etc.

The problem might be that the VLAN configuration is such that only 192.168.1.x can enter.  Without seen the configuration it is hard to say.
Run show interfaces at the main location and see whether there is an access-list that limits what IPs can access 192.168.6.x segment or can pass through that interface.
0
 

Author Comment

by:mpousson
ID: 24295771
Here is what i got when i ran Show Interfaces, learning this pretty much little each day. This is our first cisco router and it was put into service about a month ago by someone who is no longer here.

router2821#show interfaces
GigabitEthernet0/0 is up, line protocol is up
  Hardware is MV96340 Ethernet, address is 0016.9dd8.d150 (bia 0016.9dd8.d150)
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is T
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 284000 bits/sec, 85 packets/sec
  5 minute output rate 749000 bits/sec, 94 packets/sec
     65814157 packets input, 863080706 bytes, 0 no buffer
     Received 2288727 broadcasts, 0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 1 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     78110241 packets output, 1522531646 bytes, 0 underruns
8443 output errors, 0 collisions, 4 interface resets
     0 babbles, 8443 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 1 pause output
     0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up
  Hardware is MV96340 Ethernet, address is 0016.9dd8.d151 (bia 0016.9dd8.d151)
  Internet address is x.x.x.x/29
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is T
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/8/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 706000 bits/sec, 89 packets/sec
  5 minute output rate 284000 bits/sec, 81 packets/sec
     79428572 packets input, 1740859661 bytes, 0 no buffer
     Received 19029 broadcasts, 0 runts, 0 giants, 4 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     64574009 packets output, 1041099656 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Serial0/0/0 is administratively down, line protocol is down
  Hardware is GT96K with integrated T1 CSU/DSU
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 2w2d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=down  DSR=up  DTR=down  RTS=down  CTS=down

Serial0/2/0 is administratively down, line protocol is down
  Hardware is GT96K with integrated T1 CSU/DSU
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 2w2d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
 Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=down  DSR=up  DTR=down  RTS=down  CTS=down

NVI0 is up, line protocol is up
  Hardware is NVI
  MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation UNKNOWN, loopback not set
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Loopback1 is up, line protocol is up
  Hardware is Loopback
  Internet address is 1.1.1.2/30
  MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation LOOPBACK, loopback not set
  Last input 00:00:01, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 5000 bits/sec, 3 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3545300 packets output, 1039929367 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0
 
LVL 81

Expert Comment

by:arnold
ID: 24296003
Is your 192.168.6.0/24 VLAn segment connected to the 2821 via another device that has a 192.168.1.x IP on the WAN side? Or are you using a NAT virtual Interface for the VLAN separation?
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

A different approach could have been to use one of the remaining GigaBitEthernets and define them under a separate VLAN and then setup ACL.
0
 

Author Comment

by:mpousson
ID: 24296223
I thought i had mentioned it in the beginning the vlan is being connected over a point to point fiber connecting both office's.At the 192.168.1.1  has a port on the  HP PROCURVE 5406ZL with a vlan to the 192.168.6.1 using a port on the HP ProCurve 2428
0
 
LVL 81

Expert Comment

by:arnold
ID: 24296299
Is the point to point fiber connection going through the NAT Virtual Interface?
GigabitEthernet 0/0 is your Inside (LAN)
GigabitEthernet 0/1 is your outside (WAN)
NVI0 is your point to point VLAN?

You only have "three" active interfaces.
 
0
 
LVL 81

Expert Comment

by:arnold
ID: 24296328
Do you have ACL restrictions that handle which IPs can get to the 192.168.6.x IP?
You may have a restriction that only allows 192.168.1.x to get to 192.168.6.x.
run the following:
show ip access-list
This should list all the access-lists on your router.
0
 

Author Comment

by:mpousson
ID: 24296382
OK going to do that, the point to point is connected by cisco swithc at each location that is not our equpment it is  our ISP's equpment
0
 
LVL 81

Expert Comment

by:arnold
ID: 24296435
Is it a cisco switch or a cisco router?  A switch would not interfere with packet flow.

The hw might be a pair of routers that limit the traffic to 192.168.1.x and 192.168.6.x.  Check with the ISP whether changes need to be made on their equipment if you are adding another segment to which the 192.168.6.x needs to be able to access?
0
 

Author Comment

by:mpousson
ID: 24296436
Here is the show ip access-list

router2821#show ip access-list
Extended IP access list 100
    10 deny ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (214562 matches)
    20 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (659968 matches)
    30 deny ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (717387 matches)
    40 deny ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (2175060 matches)
    50 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
    60 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    70 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
    80 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
    90 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    100 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
    110 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    120 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
    130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    140 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
    150 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
    160 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
    170 deny tcp host 192.168.1.189 eq 8182 any eq www
    180 permit ip 192.168.1.0 0.0.0.255 any (1103067 matches)
    190 permit ip 192.168.6.0 0.0.0.255 any (422039 matches)
    200 permit ip 192.168.3.0 0.0.0.255 any
    210 permit ip 192.168.5.0 0.0.0.255 any
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (7126265 matches)
Extended IP access list 102
    10 permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (503485 matches)
Extended IP access list patton_vpn
    50 permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (2086653 matches)
Extended IP access list phone_vpn
    10 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (3808346 matches)
Extended IP access list stcroix_vpn
    50 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (1854977 matches)
0
 

Author Comment

by:mpousson
ID: 24296512
The IPS's equipment is cisco me 3400 series switches at both location.
0
 
LVL 81

Expert Comment

by:arnold
ID: 24297888
Look at access-list 100 it has an explict deny for 192.168.6.x to 192.168.5.x, 192.168.2.x, 192.168.3.x, etc. But these do not match because the 192.168.0.0/16 deny rules are met first.


Where is access list 100 applied.

show ip route.
Where is the 192.168.0.0/255.255.0.0 coming from?  Do you know whether you need to have access from branch1 to branch2 through the Main office?
192.168.3.0 to 192.168.5.0 through the VPN connection at the main office?
0
 

Author Comment

by:mpousson
ID: 24298015
Here is the Show IP Route, the 192.168.6.1 needs to access the 2.1 ,3.1 and 5.1 legs of the network right now all he can do is access the 1.1. the only places the 3.1 and 5.1 need to beable to reach is the 1.1 which they can now

router2821#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is x.x.x.x to network 0.0.0.0

     1.0.0.0/30 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback1
     x.x.x.x/29 is subnetted, 1 subnets
C       x.x.x.x is directly connected, GigabitEthernet0/1
S    192.168.6.0/24 [1/0] via 192.168.1.5
C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [1/0] via 208.180.58.241
0
 
LVL 81

Expert Comment

by:arnold
ID: 24298243
What is at 192.168.1.5?
Can you display a show ip route from one of the other locations?

The problem is that you are not advertising to the 192.168.2.0/24, 3.0/24 that 192.168.6.0/24 is accessible through the VPN. this also means that even if traffic from 192.168.6.0 makes its way through the VPN from the 192.168.1.0/24 side it will not be allowed in on the remote site?

The use of the 192.168.0.0/16 on some VPNs is what confuses
I.e. it seems that you have two VPNs going to the same location:
one has the 192.168.1.0/24 to 192.168.5.0/24 and the other is 192.168.0.0/16 to the same 192.168.5.0/24.


0
 

Author Comment

by:mpousson
ID: 24298408
192.168.1.5 is the address of the HP Procurve 540zl   switch and is our default  lan gateway. This is also the switch on the 1.1 network that  has the vlan setup for the 6.network,
I am going to try and call the guy who initially set the router up and ask why we have the 192.168.0.0/16.
0
 

Author Comment

by:mpousson
ID: 24298674
So is there something i can setup in the cisco for the 6 to be advertised? Or do i just need to change something at the remote sites?
0
 
LVL 81

Accepted Solution

by:
arnold earned 1500 total points
ID: 24299558
I think this is part of the VPN setup between main and a location.
See whether you can add to the acl that currently has the 192.168.1.x to 192.168.5.x a reference for 192.168.6.x to 192.168.5.x and repeat the same thing on the other side.

i.e. side a "I Think this will be the main office"
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

Side B "I think this will be the config at the branch"
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255


0
 

Author Comment

by:mpousson
ID: 24304550
Ok is this what i need to put in the cisco 2821? I only have 1 cisco router at the main location 1.1 and at the remote locations they have Symantec Gateway Security 360r Firewall/Routers. The Vlan Site is just connected by the switches over the point to point.I

I really do appreciate all your effort you ahve invested in helping with this issue.
0
 
LVL 81

Expert Comment

by:arnold
ID: 24305157
Possibly.  I do not know what you have setup on the other side.  What you can do is test. Setup a time where you can alter the ACL on the 2821 and when you can make the mirror alterations on the branch side.  When the VPN comes up you can test whether it works.

The other part I do not see what the point of your VLAN is since you have a route defined that routes any packet destined to 192.168.6.0 to get to the destination.

VLAN is useful if you want to separate and limit access from one segment to another without the need of a router.

You also have not answered where access-list 100 is applied.  
Is it applied on the outside interface Gige 0/1 port?
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question