Question

  • Creator
    Topic
  • #2213738

    Help Required on IPSEC VPN

    Locked

    by shazinali ·

    Dear All,
    I have got a site to site IPSEC vpn between a 1841 router and a ASA 5505, the VPN tunnel comes up fine and we are able to send traffic between the two sites with no issues,

    I have got an issue where the remote site is not able to access the internet through the same link, i have got nat translations happening for all the non VPN traffic working fine, but the LAN IP’s are not able to reach the internet.

    I have attached the config below,

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec show-timezone
    service timestamps log datetime msec show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Remote_Rtr
    !
    boot-start-marker
    boot system flash:c1841-advipservicesk9-mz.124-25c.bin
    boot-end-marker
    !
    logging buffered 20000 informational
    enable secret 5 $1$HpVE$9XOH8U2n2qkqiWnGZCIci1
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication enable default enable
    !
    aaa session-id common
    clock timezone STT 2
    no ip source-route
    no ip gratuitous-arps
    ip icmp rate-limit unreachable 1000
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.70.1.1
    ip dhcp excluded-address 10.70.1.254
    !
    ip dhcp pool Libya_Lan
    network 10.70.1.0 255.255.255.0
    default-router 10.70.1.1
    option 150 ip 172.20.18.2 172.20.18.3
    dns-server 208.67.222.222 208.67.220.220
    !
    !
    no ip domain lookup
    ip domain name UBI.NET
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    username ahli secret 5 $1$BIRe$VksVXryB7ficNdLED9Kyi.
    !
    !
    ip tcp synwait-time 10
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key Ea98Vvj95kqrwy#879vYq%UTbe#pBZ&m2UBCI address X.X.X.X

    !
    !
    crypto ipsec transform-set UBI-AUB esp-3des esp-md5-hmac
    !
    crypto map pix 10 ipsec-isakmp
    set peer X.X.X.X
    set transform-set UBI-AUB
    match address UBI_AUB_ACL
    !
    !
    !
    !
    interface FastEthernet0/0
    description connected to LTT Router
    ip address X.X.X.X 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map pix
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    spanning-tree portfast
    !
    interface FastEthernet0/0/1
    spanning-tree portfast
    !
    interface FastEthernet0/0/2
    spanning-tree portfast
    !
    interface FastEthernet0/0/3
    spanning-tree portfast
    !
    interface Vlan1
    ip address 10.70.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 X.X.X.X (fast eth 0/0)
    !
    !
    no ip http server
    ip http access-class 23
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    !
    ip access-list extended UBI_AUB_ACL
    permit ip 10.70.1.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 10.70.1.0 0.0.0.255 172.20.0.0 0.0.255.255
    permit ip 10.70.1.0 0.0.0.255 172.21.0.0 0.0.255.255
    permit ip 10.70.1.0 0.0.0.255 10.16.0.0 0.0.255.255
    permit ip 10.70.1.0 0.0.0.255 10.32.0.0 0.0.255.255
    permit ip host 10.70.0.2 host 10.70.0.1
    permit ip 10.70.1.0 0.0.0.255 172.25.0.0 0.0.255.255
    !
    access-list 16 remark ACL to restrict SNMP access to Switch
    access-list 16 permit 192.168.202.192 0.0.0.63
    access-list 16 permit 172.20.13.0 0.0.0.255
    access-list 16 permit 10.70.1.0 0.0.0.255
    access-list 16 deny any log
    access-list 50 remark ACL to permit router NTP Queries
    access-list 50 permit 192.168.241.55
    access-list 50 permit 192.168.241.54
    access-list 110 deny ip 10.70.1.0 0.0.0.255 10.16.0.0 0.0.255.255
    access-list 110 deny ip 10.70.1.0 0.0.0.255 10.32.0.0 0.0.255.255
    access-list 110 deny ip 10.70.1.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 110 deny ip 10.70.1.0 0.0.0.255 172.20.0.0 0.0.255.255
    access-list 110 deny ip 10.70.1.0 0.0.0.255 172.21.0.0 0.0.255.255
    access-list 110 deny ip 10.70.1.0 0.0.0.255 172.25.0.0 0.0.255.255
    access-list 110 permit ip 10.70.1.0 0.0.0.255 any
    !
    route-map nonat permit 10
    match ip address 110
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    session-timeout 20 output
    exec-timeout 20 0
    logging synchronous
    line aux 0
    exec-timeout 0 10
    no exec
    line vty 0 4
    session-timeout 20 output
    access-class 23 in
    exec-timeout 20 0
    transport input ssh
    line vty 5 10
    access-class 23 in
    exec-timeout 20 0
    transport input ssh
    line vty 11 15
    session-timeout 20 output
    access-class 23 in
    exec-timeout 20 0
    transport input ssh

    Any help would be appreciated

All Answers

  • Author
    Replies
Viewing 3 reply threads