Solved

problem with routing to VPN connected site

Posted on 2011-02-17
11
313 Views
Last Modified: 2012-05-11
Hi All.  I will try to explain this as clearly as possible.  I have 7 offices connected internally though a seires of MetroE connections in a hub & spoke setup.  I also have some home users who have Cisco 800 seies VPN routers connecting back to my network through a Cisco VPN 3005 concentrator.  The problem is that users in the homes can only access resources on the main network.  They cannot access any of the other 'internal' offices. Example diagram is:

192.0.6.0 - Router B - 192.168.4.6  -  192.168.4.1 - Router A - 192.0.1.1  -  192.0.1.4 - 3005VPN -  NET  -  NET - Cisco800 - 192.168.140.0

anyone on the 192.0.1.0 network can access the 192.168.140.0 network and vice-versa, no problem.  But 192.168.140.0 network cannot access the 192.0.6.0 network & vice-versa.  OK, so I kinda get that Router A isn't passing the traffic, but I don't know how to make it.  BTW, the routes are in Router A and it is correctly advertising those routes to Router B.

Thanks!  Don
0
Comment
Question by:dongcamp100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 34918303
It sounds like your VPN clients are not given a default gateway in order to route out of the 192.0.1.0 network.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34918451
Your VPN client from 192.0.6.0 probably can reach 192.168.140.0 fine, but the router B doesn't know how to reach 192.0.6.0, and sends the return traffic through its default gateway instead.

But where exactly it goes wrong, needs to be debugged on the routers themselves. Are you managing those CISCO routers yourself?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 34918497
Hi,

Do you use split tunelling for your home users. If you have you will need to specify which subnets you want to send over the VPN. In which case you will need to specify all of the subnets you want them to reach.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:dongcamp100
ID: 34918720
I am not using split tunneling.  In the concentrator profile, I have Tunnel Everything set.  192.0.6.0 is internal and it is driectly connected to Router B, so Router B knows where to send traffic.  The VPN clients are connected to the 800 Router and it has a default gateway to the NET.  Traffic makes it from the VPN clients into the 192.0.1.1 network, but doesn't get any farther into the other 'internal' networks such as 192.0.6.0.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34919049
I still think the traffic does get from your VPN client to the "'other internal networks", but there is no route back to the VPN client.

You might try a tracert command from your other internal network to a VPN client's IP, and see how far it gets.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 34919412
Have a look at the access-list on the VPN concentrator that defines interesting traffic. Does this preclude any of the networks that you want the VPN users to access?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 34919456
I think they refer to them as network lists not access-lists on VPN concentrators

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Have a look at step 4 in the above link.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 34921211
I believe you're missing a couple routes someplace, but I'm having trouble firguring out your network layout.
Can you give us a basic diagram?
0
 

Author Comment

by:dongcamp100
ID: 35240455
I would like to accept and award points on this question as one of the comments has ultimately lead to a resolution.  Please allow me to do so and I will close the question as solved.
0
 

Author Closing Comment

by:dongcamp100
ID: 35240466
It turned out to actually be the access-list on the endpoint router.  I think I am still a little fuzzy on why it was wrong, but ultimately, tinkering with the access-list statements on the router fixed the problem.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question