Solved

problem with routing to VPN connected site

Posted on 2011-02-17
11
307 Views
Last Modified: 2012-05-11
Hi All.  I will try to explain this as clearly as possible.  I have 7 offices connected internally though a seires of MetroE connections in a hub & spoke setup.  I also have some home users who have Cisco 800 seies VPN routers connecting back to my network through a Cisco VPN 3005 concentrator.  The problem is that users in the homes can only access resources on the main network.  They cannot access any of the other 'internal' offices. Example diagram is:

192.0.6.0 - Router B - 192.168.4.6  -  192.168.4.1 - Router A - 192.0.1.1  -  192.0.1.4 - 3005VPN -  NET  -  NET - Cisco800 - 192.168.140.0

anyone on the 192.0.1.0 network can access the 192.168.140.0 network and vice-versa, no problem.  But 192.168.140.0 network cannot access the 192.0.6.0 network & vice-versa.  OK, so I kinda get that Router A isn't passing the traffic, but I don't know how to make it.  BTW, the routes are in Router A and it is correctly advertising those routes to Router B.

Thanks!  Don
0
Comment
Question by:dongcamp100
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 34918303
It sounds like your VPN clients are not given a default gateway in order to route out of the 192.0.1.0 network.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34918451
Your VPN client from 192.0.6.0 probably can reach 192.168.140.0 fine, but the router B doesn't know how to reach 192.0.6.0, and sends the return traffic through its default gateway instead.

But where exactly it goes wrong, needs to be debugged on the routers themselves. Are you managing those CISCO routers yourself?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 34918497
Hi,

Do you use split tunelling for your home users. If you have you will need to specify which subnets you want to send over the VPN. In which case you will need to specify all of the subnets you want them to reach.
0
 

Author Comment

by:dongcamp100
ID: 34918720
I am not using split tunneling.  In the concentrator profile, I have Tunnel Everything set.  192.0.6.0 is internal and it is driectly connected to Router B, so Router B knows where to send traffic.  The VPN clients are connected to the 800 Router and it has a default gateway to the NET.  Traffic makes it from the VPN clients into the 192.0.1.1 network, but doesn't get any farther into the other 'internal' networks such as 192.0.6.0.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34919049
I still think the traffic does get from your VPN client to the "'other internal networks", but there is no route back to the VPN client.

You might try a tracert command from your other internal network to a VPN client's IP, and see how far it gets.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:rochey2009
ID: 34919412
Have a look at the access-list on the VPN concentrator that defines interesting traffic. Does this preclude any of the networks that you want the VPN users to access?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 34919456
I think they refer to them as network lists not access-lists on VPN concentrators

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Have a look at step 4 in the above link.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 34921211
I believe you're missing a couple routes someplace, but I'm having trouble firguring out your network layout.
Can you give us a basic diagram?
0
 

Author Comment

by:dongcamp100
ID: 35240455
I would like to accept and award points on this question as one of the comments has ultimately lead to a resolution.  Please allow me to do so and I will close the question as solved.
0
 

Author Closing Comment

by:dongcamp100
ID: 35240466
It turned out to actually be the access-list on the endpoint router.  I think I am still a little fuzzy on why it was wrong, but ultimately, tinkering with the access-list statements on the router fixed the problem.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now