Solved

problem with routing to VPN connected site

Posted on 2011-02-17
11
308 Views
Last Modified: 2012-05-11
Hi All.  I will try to explain this as clearly as possible.  I have 7 offices connected internally though a seires of MetroE connections in a hub & spoke setup.  I also have some home users who have Cisco 800 seies VPN routers connecting back to my network through a Cisco VPN 3005 concentrator.  The problem is that users in the homes can only access resources on the main network.  They cannot access any of the other 'internal' offices. Example diagram is:

192.0.6.0 - Router B - 192.168.4.6  -  192.168.4.1 - Router A - 192.0.1.1  -  192.0.1.4 - 3005VPN -  NET  -  NET - Cisco800 - 192.168.140.0

anyone on the 192.0.1.0 network can access the 192.168.140.0 network and vice-versa, no problem.  But 192.168.140.0 network cannot access the 192.0.6.0 network & vice-versa.  OK, so I kinda get that Router A isn't passing the traffic, but I don't know how to make it.  BTW, the routes are in Router A and it is correctly advertising those routes to Router B.

Thanks!  Don
0
Comment
Question by:dongcamp100
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 34918303
It sounds like your VPN clients are not given a default gateway in order to route out of the 192.0.1.0 network.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34918451
Your VPN client from 192.0.6.0 probably can reach 192.168.140.0 fine, but the router B doesn't know how to reach 192.0.6.0, and sends the return traffic through its default gateway instead.

But where exactly it goes wrong, needs to be debugged on the routers themselves. Are you managing those CISCO routers yourself?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 34918497
Hi,

Do you use split tunelling for your home users. If you have you will need to specify which subnets you want to send over the VPN. In which case you will need to specify all of the subnets you want them to reach.
0
 

Author Comment

by:dongcamp100
ID: 34918720
I am not using split tunneling.  In the concentrator profile, I have Tunnel Everything set.  192.0.6.0 is internal and it is driectly connected to Router B, so Router B knows where to send traffic.  The VPN clients are connected to the 800 Router and it has a default gateway to the NET.  Traffic makes it from the VPN clients into the 192.0.1.1 network, but doesn't get any farther into the other 'internal' networks such as 192.0.6.0.
0
 
LVL 5

Expert Comment

by:rdhoore108
ID: 34919049
I still think the traffic does get from your VPN client to the "'other internal networks", but there is no route back to the VPN client.

You might try a tracert command from your other internal network to a VPN client's IP, and see how far it gets.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 17

Expert Comment

by:rochey2009
ID: 34919412
Have a look at the access-list on the VPN concentrator that defines interesting traffic. Does this preclude any of the networks that you want the VPN users to access?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 34919456
I think they refer to them as network lists not access-lists on VPN concentrators

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Have a look at step 4 in the above link.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 34921211
I believe you're missing a couple routes someplace, but I'm having trouble firguring out your network layout.
Can you give us a basic diagram?
0
 

Author Comment

by:dongcamp100
ID: 35240455
I would like to accept and award points on this question as one of the comments has ultimately lead to a resolution.  Please allow me to do so and I will close the question as solved.
0
 

Author Closing Comment

by:dongcamp100
ID: 35240466
It turned out to actually be the access-list on the endpoint router.  I think I am still a little fuzzy on why it was wrong, but ultimately, tinkering with the access-list statements on the router fixed the problem.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now