mpousson
asked on
Routing Problem With Vlan and VPN Through Cisco
Starters my main network is 192.168.1.1 with a cisco 2821, we have a vlan connected to our admin office over point to point fiber which is 192.168.6.1, We 2 VPN tunnels through the cisco that connect to symantec gateway 360r routers at the remote sites with the ip address 192.168.5.1 and 192.168.3.1. From the main 192.168.1.1 site i can connect to any of the remote subnets, the problem comes in from the admin office with the VLAN they cannot connect to the 3.1 or 5.1 network, the only subnet the 6.1 can access or ping is the main 192.168.1.1. I need to find out how to route 6.1 through the cisco at the 1.1 to the 2 remote subnets that are connected by vpn tunnels. Right now when the 6.1 tries to traffic stops at the 1.1.
Does the main location/vpn allows the 6.1 network to get out? Is the 6.1 network included in the VPN connection ACL?
ASKER
THe 6.1 can get out just fine they are connected to the main network via VLAN over switches connected by a fiber point to point. I am not sure if the 6.1 is in the ACL i am also not an expert when it comes to cisco I am fairly green.
you need to run:
show crypto ipsec sa
show cypto isakmp sa.
What you are looking for is to see whether the 192.168.6.x is part of the routing rule set.
i.e. whether the 192.168.6.x is included in the allowed sections of the VPN.
If you look on the remote location, do you have nat (inside) 0 acl
where the acl includes a permit IP 192.168.6.x?
Do you have on the main location the ACL that deals with outgoing VPNs that include the 192.168.6.x?
If you post your configuration on the main site (excluding public IPs, replace those with X.X.X.X and excluding the passphrases,password, these can be replaced with passphrase or passowrd)
show crypto ipsec sa
show cypto isakmp sa.
What you are looking for is to see whether the 192.168.6.x is part of the routing rule set.
i.e. whether the 192.168.6.x is included in the allowed sections of the VPN.
If you look on the remote location, do you have nat (inside) 0 acl
where the acl includes a permit IP 192.168.6.x?
Do you have on the main location the ACL that deals with outgoing VPNs that include the 192.168.6.x?
If you post your configuration on the main site (excluding public IPs, replace those with X.X.X.X and excluding the passphrases,password, these can be replaced with passphrase or passowrd)
ASKER
Here is the show crypto ipsec, now the 6.1 network is connected through point to point fiber using vlan through switches and not the router, it also uses the same wan ip as the main network it is connected to.
interface: GigabitEthernet0/1
Crypto map tag: mymap, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 312, #pkts encrypt: 312, #pkts digest: 312
#pkts decaps: 260, #pkts decrypt: 260, #pkts verify: 260
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x389EBA93(949926547)
inbound esp sas:
spi: 0xFAE25BBA(4209138618)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3005, flow_id: NETGX:5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4591949/3545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
rmination of show output for identity
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,ipsec _sa_reques t_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 215923, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 712, #pkts encrypt: 712, #pkts digest: 712
#pkts decaps: 1179, #pkts decrypt: 1179, #pkts verify: 1179
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x8E4EEBB0(2387536816)
inbound esp sas:
spi: 0x31254E52(824528466)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4444187/137)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8E4EEBB0(2387536816)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3007, flow_id: NETGX:7, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4444301/137)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50725, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227
#pkts decaps: 7983, #pkts decrypt: 7983, #pkts verify: 7983
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x1C945B27(479484711)
inbound esp sas:
spi: 0x17654282(392512130)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3006, flow_id: NETGX:6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4545494/2894)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1C945B27(479484711)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4545507/2888)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 9694, #pkts encrypt: 9694, #pkts digest: 9694
#pkts decaps: 9556, #pkts decrypt: 9556, #pkts verify: 9556
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0xB2D3EF1C(3000233756)
inbound esp sas:
spi: 0xBE22BC46(3189947462)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3012, flow_id: NETGX:12, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4530222/1925)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB2D3EF1C(3000233756)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3008, flow_id: NETGX:8, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4528513/1921)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0 /0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46284, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: GigabitEthernet0/1
Crypto map tag: mymap, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 312, #pkts encrypt: 312, #pkts digest: 312
#pkts decaps: 260, #pkts decrypt: 260, #pkts verify: 260
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x389EBA93(949926547)
inbound esp sas:
spi: 0xFAE25BBA(4209138618)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3005, flow_id: NETGX:5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4591949/3545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
rmination of show output for identity
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,ipsec
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 215923, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 712, #pkts encrypt: 712, #pkts digest: 712
#pkts decaps: 1179, #pkts decrypt: 1179, #pkts verify: 1179
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x8E4EEBB0(2387536816)
inbound esp sas:
spi: 0x31254E52(824528466)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4444187/137)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8E4EEBB0(2387536816)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3007, flow_id: NETGX:7, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4444301/137)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50725, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 1227, #pkts encrypt: 1227, #pkts digest: 1227
#pkts decaps: 7983, #pkts decrypt: 7983, #pkts verify: 7983
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x1C945B27(479484711)
inbound esp sas:
spi: 0x17654282(392512130)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3006, flow_id: NETGX:6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4545494/2894)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1C945B27(479484711)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4545507/2888)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 9694, #pkts encrypt: 9694, #pkts digest: 9694
#pkts decaps: 9556, #pkts decrypt: 9556, #pkts verify: 9556
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0xB2D3EF1C(3000233756)
inbound esp sas:
spi: 0xBE22BC46(3189947462)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3012, flow_id: NETGX:12, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4530222/1925)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB2D3EF1C(3000233756)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3008, flow_id: NETGX:8, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4528513/1921)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46284, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ASKER
router2821#show crypto isakmp sa
dst src state conn-id slot status
x.x.x.x x.x.x.x QM_IDLE 1997 0 ACTIVE
x.x.x.x x.x.x.x QM_IDLE 1817 0 ACTIVE
x.x.x.x x.x.x.x MM_NO_STATE 1996 0 ACTIVE (deleted)
x.x.x.x x.x.x.x MM_NO_STATE 1995 0 ACTIVE (deleted)
x.x.x.x x.x.x.x QM_IDLE 1724 0 ACTIVE
x.x.x.x x.x.x.x QM_IDLE 1963 0 ACTIVE
dst src state conn-id slot status
x.x.x.x x.x.x.x QM_IDLE 1997 0 ACTIVE
x.x.x.x x.x.x.x QM_IDLE 1817 0 ACTIVE
x.x.x.x x.x.x.x MM_NO_STATE 1996 0 ACTIVE (deleted)
x.x.x.x x.x.x.x MM_NO_STATE 1995 0 ACTIVE (deleted)
x.x.x.x x.x.x.x QM_IDLE 1724 0 ACTIVE
x.x.x.x x.x.x.x QM_IDLE 1963 0 ACTIVE
You do not advertise through any of the VPNs that 192.168.6.x is available.
This why the remote locations do not route 192.168.6.x through the VPN
The points of interest are the local ident and remote Ident. These are the means by which the routers on each end know which IP traffic to route through the VPN.
This why the remote locations do not route 192.168.6.x through the VPN
The points of interest are the local ident and remote Ident. These are the means by which the routers on each end know which IP traffic to route through the VPN.
ASKER
Kk is it something i can setup in the cisco or do i need to set it up in the symantecs at the remote locations?
the cisco's do you have a match-address directive for vpn?
you have also vpn's that use 192.168.0.0/255.255.0.0 is that on purpose?
you have also vpn's that use 192.168.0.0/255.255.0.0 is that on purpose?
ASKER
I am a real novice when it comes to ciscos and i did not originally set this one up so i am not sure what the purpose of 192.168.0.0. I am not sure about a match address directive.
I suspect that the two entries might be to allow cross location communication via the VPN. I.e. 192.168.5.x to be able to access 192.168.4.x. etc.
The problem might be that the VLAN configuration is such that only 192.168.1.x can enter. Without seen the configuration it is hard to say.
Run show interfaces at the main location and see whether there is an access-list that limits what IPs can access 192.168.6.x segment or can pass through that interface.
The problem might be that the VLAN configuration is such that only 192.168.1.x can enter. Without seen the configuration it is hard to say.
Run show interfaces at the main location and see whether there is an access-list that limits what IPs can access 192.168.6.x segment or can pass through that interface.
ASKER
Here is what i got when i ran Show Interfaces, learning this pretty much little each day. This is our first cisco router and it was put into service about a month ago by someone who is no longer here.
router2821#show interfaces
GigabitEthernet0/0 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0016.9dd8.d150 (bia 0016.9dd8.d150)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is T
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 284000 bits/sec, 85 packets/sec
5 minute output rate 749000 bits/sec, 94 packets/sec
65814157 packets input, 863080706 bytes, 0 no buffer
Received 2288727 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 1 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
78110241 packets output, 1522531646 bytes, 0 underruns
8443 output errors, 0 collisions, 4 interface resets
0 babbles, 8443 late collision, 0 deferred
0 lost carrier, 0 no carrier, 1 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0016.9dd8.d151 (bia 0016.9dd8.d151)
Internet address is x.x.x.x/29
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is T
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/8/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 706000 bits/sec, 89 packets/sec
5 minute output rate 284000 bits/sec, 81 packets/sec
79428572 packets input, 1740859661 bytes, 0 no buffer
Received 19029 broadcasts, 0 runts, 0 giants, 4 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
64574009 packets output, 1041099656 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Serial0/0/0 is administratively down, line protocol is down
Hardware is GT96K with integrated T1 CSU/DSU
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters 2w2d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=up DTR=down RTS=down CTS=down
Serial0/2/0 is administratively down, line protocol is down
Hardware is GT96K with integrated T1 CSU/DSU
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters 2w2d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=up DTR=down RTS=down CTS=down
NVI0 is up, line protocol is up
Hardware is NVI
MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Loopback1 is up, line protocol is up
Hardware is Loopback
Internet address is 1.1.1.2/30
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 5000 bits/sec, 3 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3545300 packets output, 1039929367 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
router2821#show interfaces
GigabitEthernet0/0 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0016.9dd8.d150 (bia 0016.9dd8.d150)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is T
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 284000 bits/sec, 85 packets/sec
5 minute output rate 749000 bits/sec, 94 packets/sec
65814157 packets input, 863080706 bytes, 0 no buffer
Received 2288727 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 1 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
78110241 packets output, 1522531646 bytes, 0 underruns
8443 output errors, 0 collisions, 4 interface resets
0 babbles, 8443 late collision, 0 deferred
0 lost carrier, 0 no carrier, 1 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0016.9dd8.d151 (bia 0016.9dd8.d151)
Internet address is x.x.x.x/29
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is T
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/8/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 706000 bits/sec, 89 packets/sec
5 minute output rate 284000 bits/sec, 81 packets/sec
79428572 packets input, 1740859661 bytes, 0 no buffer
Received 19029 broadcasts, 0 runts, 0 giants, 4 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
64574009 packets output, 1041099656 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Serial0/0/0 is administratively down, line protocol is down
Hardware is GT96K with integrated T1 CSU/DSU
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters 2w2d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=up DTR=down RTS=down CTS=down
Serial0/2/0 is administratively down, line protocol is down
Hardware is GT96K with integrated T1 CSU/DSU
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters 2w2d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=up DTR=down RTS=down CTS=down
NVI0 is up, line protocol is up
Hardware is NVI
MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Loopback1 is up, line protocol is up
Hardware is Loopback
Internet address is 1.1.1.2/30
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 5000 bits/sec, 3 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3545300 packets output, 1039929367 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Is your 192.168.6.0/24 VLAn segment connected to the 2821 via another device that has a 192.168.1.x IP on the WAN side? Or are you using a NAT virtual Interface for the VLAN separation?
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html
A different approach could have been to use one of the remaining GigaBitEthernets and define them under a separate VLAN and then setup ACL.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html
A different approach could have been to use one of the remaining GigaBitEthernets and define them under a separate VLAN and then setup ACL.
ASKER
I thought i had mentioned it in the beginning the vlan is being connected over a point to point fiber connecting both office's.At the 192.168.1.1 has a port on the HP PROCURVE 5406ZL with a vlan to the 192.168.6.1 using a port on the HP ProCurve 2428
Is the point to point fiber connection going through the NAT Virtual Interface?
GigabitEthernet 0/0 is your Inside (LAN)
GigabitEthernet 0/1 is your outside (WAN)
NVI0 is your point to point VLAN?
You only have "three" active interfaces.
GigabitEthernet 0/0 is your Inside (LAN)
GigabitEthernet 0/1 is your outside (WAN)
NVI0 is your point to point VLAN?
You only have "three" active interfaces.
Do you have ACL restrictions that handle which IPs can get to the 192.168.6.x IP?
You may have a restriction that only allows 192.168.1.x to get to 192.168.6.x.
run the following:
show ip access-list
This should list all the access-lists on your router.
You may have a restriction that only allows 192.168.1.x to get to 192.168.6.x.
run the following:
show ip access-list
This should list all the access-lists on your router.
ASKER
OK going to do that, the point to point is connected by cisco swithc at each location that is not our equpment it is our ISP's equpment
Is it a cisco switch or a cisco router? A switch would not interfere with packet flow.
The hw might be a pair of routers that limit the traffic to 192.168.1.x and 192.168.6.x. Check with the ISP whether changes need to be made on their equipment if you are adding another segment to which the 192.168.6.x needs to be able to access?
The hw might be a pair of routers that limit the traffic to 192.168.1.x and 192.168.6.x. Check with the ISP whether changes need to be made on their equipment if you are adding another segment to which the 192.168.6.x needs to be able to access?
ASKER
Here is the show ip access-list
router2821#show ip access-list
Extended IP access list 100
10 deny ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (214562 matches)
20 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (659968 matches)
30 deny ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (717387 matches)
40 deny ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (2175060 matches)
50 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
60 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
70 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
80 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
90 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
100 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
110 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
120 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
140 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
150 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
160 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
170 deny tcp host 192.168.1.189 eq 8182 any eq www
180 permit ip 192.168.1.0 0.0.0.255 any (1103067 matches)
190 permit ip 192.168.6.0 0.0.0.255 any (422039 matches)
200 permit ip 192.168.3.0 0.0.0.255 any
210 permit ip 192.168.5.0 0.0.0.255 any
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (7126265 matches)
Extended IP access list 102
10 permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (503485 matches)
Extended IP access list patton_vpn
50 permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (2086653 matches)
Extended IP access list phone_vpn
10 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (3808346 matches)
Extended IP access list stcroix_vpn
50 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (1854977 matches)
router2821#show ip access-list
Extended IP access list 100
10 deny ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (214562 matches)
20 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (659968 matches)
30 deny ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (717387 matches)
40 deny ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (2175060 matches)
50 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
60 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
70 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
80 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
90 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
100 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
110 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
120 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
140 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
150 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
160 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
170 deny tcp host 192.168.1.189 eq 8182 any eq www
180 permit ip 192.168.1.0 0.0.0.255 any (1103067 matches)
190 permit ip 192.168.6.0 0.0.0.255 any (422039 matches)
200 permit ip 192.168.3.0 0.0.0.255 any
210 permit ip 192.168.5.0 0.0.0.255 any
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (7126265 matches)
Extended IP access list 102
10 permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255 (503485 matches)
Extended IP access list patton_vpn
50 permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (2086653 matches)
Extended IP access list phone_vpn
10 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255 (3808346 matches)
Extended IP access list stcroix_vpn
50 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255 (1854977 matches)
ASKER
The IPS's equipment is cisco me 3400 series switches at both location.
Look at access-list 100 it has an explict deny for 192.168.6.x to 192.168.5.x, 192.168.2.x, 192.168.3.x, etc. But these do not match because the 192.168.0.0/16 deny rules are met first.
Where is access list 100 applied.
show ip route.
Where is the 192.168.0.0/255.255.0.0 coming from? Do you know whether you need to have access from branch1 to branch2 through the Main office?
192.168.3.0 to 192.168.5.0 through the VPN connection at the main office?
Where is access list 100 applied.
show ip route.
Where is the 192.168.0.0/255.255.0.0 coming from? Do you know whether you need to have access from branch1 to branch2 through the Main office?
192.168.3.0 to 192.168.5.0 through the VPN connection at the main office?
ASKER
Here is the Show IP Route, the 192.168.6.1 needs to access the 2.1 ,3.1 and 5.1 legs of the network right now all he can do is access the 1.1. the only places the 3.1 and 5.1 need to beable to reach is the 1.1 which they can now
router2821#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is x.x.x.x to network 0.0.0.0
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback1
x.x.x.x/29 is subnetted, 1 subnets
C x.x.x.x is directly connected, GigabitEthernet0/1
S 192.168.6.0/24 [1/0] via 192.168.1.5
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 208.180.58.241
router2821#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is x.x.x.x to network 0.0.0.0
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback1
x.x.x.x/29 is subnetted, 1 subnets
C x.x.x.x is directly connected, GigabitEthernet0/1
S 192.168.6.0/24 [1/0] via 192.168.1.5
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 208.180.58.241
What is at 192.168.1.5?
Can you display a show ip route from one of the other locations?
The problem is that you are not advertising to the 192.168.2.0/24, 3.0/24 that 192.168.6.0/24 is accessible through the VPN. this also means that even if traffic from 192.168.6.0 makes its way through the VPN from the 192.168.1.0/24 side it will not be allowed in on the remote site?
The use of the 192.168.0.0/16 on some VPNs is what confuses
I.e. it seems that you have two VPNs going to the same location:
one has the 192.168.1.0/24 to 192.168.5.0/24 and the other is 192.168.0.0/16 to the same 192.168.5.0/24.
Can you display a show ip route from one of the other locations?
The problem is that you are not advertising to the 192.168.2.0/24, 3.0/24 that 192.168.6.0/24 is accessible through the VPN. this also means that even if traffic from 192.168.6.0 makes its way through the VPN from the 192.168.1.0/24 side it will not be allowed in on the remote site?
The use of the 192.168.0.0/16 on some VPNs is what confuses
I.e. it seems that you have two VPNs going to the same location:
one has the 192.168.1.0/24 to 192.168.5.0/24 and the other is 192.168.0.0/16 to the same 192.168.5.0/24.
ASKER
192.168.1.5 is the address of the HP Procurve 540zl switch and is our default lan gateway. This is also the switch on the 1.1 network that has the vlan setup for the 6.network,
I am going to try and call the guy who initially set the router up and ask why we have the 192.168.0.0/16.
I am going to try and call the guy who initially set the router up and ask why we have the 192.168.0.0/16.
ASKER
So is there something i can setup in the cisco for the 6 to be advertised? Or do i just need to change something at the remote sites?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok is this what i need to put in the cisco 2821? I only have 1 cisco router at the main location 1.1 and at the remote locations they have Symantec Gateway Security 360r Firewall/Routers. The Vlan Site is just connected by the switches over the point to point.I
I really do appreciate all your effort you ahve invested in helping with this issue.
I really do appreciate all your effort you ahve invested in helping with this issue.
Possibly. I do not know what you have setup on the other side. What you can do is test. Setup a time where you can alter the ACL on the 2821 and when you can make the mirror alterations on the branch side. When the VPN comes up you can test whether it works.
The other part I do not see what the point of your VLAN is since you have a route defined that routes any packet destined to 192.168.6.0 to get to the destination.
VLAN is useful if you want to separate and limit access from one segment to another without the need of a router.
You also have not answered where access-list 100 is applied.
Is it applied on the outside interface Gige 0/1 port?
The other part I do not see what the point of your VLAN is since you have a route defined that routes any packet destined to 192.168.6.0 to get to the destination.
VLAN is useful if you want to separate and limit access from one segment to another without the need of a router.
You also have not answered where access-list 100 is applied.
Is it applied on the outside interface Gige 0/1 port?