• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

problem with routing to VPN connected site

Hi All.  I will try to explain this as clearly as possible.  I have 7 offices connected internally though a seires of MetroE connections in a hub & spoke setup.  I also have some home users who have Cisco 800 seies VPN routers connecting back to my network through a Cisco VPN 3005 concentrator.  The problem is that users in the homes can only access resources on the main network.  They cannot access any of the other 'internal' offices. Example diagram is:

192.0.6.0 - Router B - 192.168.4.6  -  192.168.4.1 - Router A - 192.0.1.1  -  192.0.1.4 - 3005VPN -  NET  -  NET - Cisco800 - 192.168.140.0

anyone on the 192.0.1.0 network can access the 192.168.140.0 network and vice-versa, no problem.  But 192.168.140.0 network cannot access the 192.0.6.0 network & vice-versa.  OK, so I kinda get that Router A isn't passing the traffic, but I don't know how to make it.  BTW, the routes are in Router A and it is correctly advertising those routes to Router B.

Thanks!  Don
0
dongcamp100
Asked:
dongcamp100
  • 3
  • 3
  • 2
  • +2
1 Solution
 
AnthonyHamonCommented:
It sounds like your VPN clients are not given a default gateway in order to route out of the 192.0.1.0 network.
0
 
rdhoore108Commented:
Your VPN client from 192.0.6.0 probably can reach 192.168.140.0 fine, but the router B doesn't know how to reach 192.0.6.0, and sends the return traffic through its default gateway instead.

But where exactly it goes wrong, needs to be debugged on the routers themselves. Are you managing those CISCO routers yourself?
0
 
rochey2009Commented:
Hi,

Do you use split tunelling for your home users. If you have you will need to specify which subnets you want to send over the VPN. In which case you will need to specify all of the subnets you want them to reach.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dongcamp100Author Commented:
I am not using split tunneling.  In the concentrator profile, I have Tunnel Everything set.  192.0.6.0 is internal and it is driectly connected to Router B, so Router B knows where to send traffic.  The VPN clients are connected to the 800 Router and it has a default gateway to the NET.  Traffic makes it from the VPN clients into the 192.0.1.1 network, but doesn't get any farther into the other 'internal' networks such as 192.0.6.0.
0
 
rdhoore108Commented:
I still think the traffic does get from your VPN client to the "'other internal networks", but there is no route back to the VPN client.

You might try a tracert command from your other internal network to a VPN client's IP, and see how far it gets.
0
 
rochey2009Commented:
Have a look at the access-list on the VPN concentrator that defines interesting traffic. Does this preclude any of the networks that you want the VPN users to access?
0
 
rochey2009Commented:
I think they refer to them as network lists not access-lists on VPN concentrators

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Have a look at step 4 in the above link.
0
 
kdearingCommented:
I believe you're missing a couple routes someplace, but I'm having trouble firguring out your network layout.
Can you give us a basic diagram?
0
 
dongcamp100Author Commented:
I would like to accept and award points on this question as one of the comments has ultimately lead to a resolution.  Please allow me to do so and I will close the question as solved.
0
 
dongcamp100Author Commented:
It turned out to actually be the access-list on the endpoint router.  I think I am still a little fuzzy on why it was wrong, but ultimately, tinkering with the access-list statements on the router fixed the problem.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now