Question:
I have a VPN
setup that cisco price I am trying to get workling.
When I issue the command sh crypto session on both routers I get the
following:
OFFICE:
Interface:
FastEthernet0/0
Session status:
UP-ACTIVE
Peer:
70.193.192.131 port 14275
IKEv1 SA: local 40.197.68.9/4500 remote
70.193.192.131/14275 Active
IPSEC FLOW: permit ip
192.168.10.0/255.255.255.0 192.168.30.0/255.255.255.252
Active SAs: 2, origin: dynamic crypto
map
HOME:
Interface:
GigabitEthernet0/0
Session status:
UP-ACTIVE
Peer:
40.197.68.9 port 4500
IKEv1 SA: local 192.168.30.1/4500 remote
40.197.68.9/4500 Active
IPSEC FLOW: permit ip 192.168.30.0/255.255.255.252
192.168.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
But when I
issue a ping 192.168.10.1 from the home router it returns .....
Here is my
network topology:
Attached are my
config files.
First, I do not
know what I need to do to get the home router to ping the office router. Secind, what do I do to get the 192.168.2.0
network (phone) to cross the VPN all the way to my phone.
Any help you
can provide, I will be greatly thankful for!!!
Answer:
Looking at your
config, you're doing NAT per ACL 1, on your OFFICE router, for source of
192.168.10.0/24. You're NATing your
OFFICE LAN to your public interface BEFORE it's being sent through tunnel:
http://www.techrepublic.com/article/understand-the-order-of-operations-for-cisco-ios/6055946
(NAT Order of Operations)
Change it to an
extended and insert a line to that to deny NAT for your HOME network
destinations across the tunnel:
ip access-list
extended SDM_ACL
deny ip 192.168.10.0 0.0.0 .255
192.168.30.0 0.0.0.3
permit ip
192.168.10.0 0.0.0 .255 any
That will take
care of connectivity to the /30 subnet, but if you're wanting access to the
OFFICE from your 110 and 115 VLANs from your HOME, then you'll need to add
those networks to Catalyst Switches Price the VPN1-FLA-TRAFFIC and VPN-TRAFFIC ACL's, respectively.
没有评论:
发表评论