6 Replies Latest reply on Aug 26, 2016 6:46 AM by wav22

    VPN Problem

    wav22 New Member

      3 Sites:

      Site A: 10.10.10.0/24 VLAN 10 (Data) & 10.10.20.0/24 VLAN 20(Voice) - NetVanta 3448 Firewall & NetVanta 7100

      Site B: 10.10.11.0/24 VLAN 11 (Data) & 10.10.21.0/24 VLAN 21(Voice) - NetVanta 7100 (Acting as both Firewall & Phone System).

      Site C: 10.10.13.0/24 - Non Adtran equipment.

       

      Sites A & B have a working VPN with dial peers to each other for internal voice calling. Site C was introduced to topology later and added to VPN of Site A so that 3 Adtran IP phones could function remotely. This was completed successfully with the Site C phones properly registering to the Site A phone system and able to place/receive calls.

       

      My problem is that while the phones at Site C can communicate perfectly with those at Site A, they couldn't dial to Site B and vice versa. I figured I must have missed creating some rules in the VPN peers for proper routing of the various subnets. However, when I attempted to build these rules on each device I broke something at Site B, creating some sort of conflict an that network.  I reverted back to the working configuration but I am still left without proper routing between Sites B & C.

       

      Can someone please provide the proper rules for this? CLI or GUI, it doesn't matter. I would really appreciate the help as I just cant figure it out.

       

      Thank you

        • Re: VPN Problem
          michael56 New Member

          You probably need to add the Site C: 10.10.13.0/24 block to your permitted ACL's in bothe site B and site B's block to site C for communication between VLANs

            • Re: VPN Problem
              wav22 New Member

              Thanks, Michael56. But I was hoping for more of a walk through.  I attempted this already and screwed it up.  There may also be unnecessary rules here confusing me which would be helpful to know also.  Here is my configuration for Site A & B::

               

              Site A Configuration:

              ip access-list extended VPN-30-vpn-selectors(Peer to Site B)

                permit ip 10.10.10.0 0.0.0.255  10.10.11.0 0.0.0.255  

                permit ip 10.10.20.0 0.0.0.255  10.10.11.0 0.0.0.255  

                permit ip 10.10.10.0 0.0.0.255  10.10.21.0 0.0.0.255  

                permit ip 10.10.20.0 0.0.0.255  10.10.21.0 0.0.0.255     

                permit ip host wan.wan.wan.wan  10.10.21.0 0.0.0.255     

                permit ip host wan.wan.wan.wan  10.10.11.0 0.0.0.255  

                permit ip 10.10.10.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip 10.10.20.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip host wan.wan.wan.wan  host wan.wan.wan.wan  

                permit ip 10.10.11.0 0.0.0.255  10.10.10.0 0.0.0.255

                permit ip 10.10.21.0 0.0.0.255  10.10.10.0 0.0.0.255

                permit ip 10.10.11.0 0.0.0.255  10.10.20.0 0.0.0.255

                permit ip 10.10.21.0 0.0.0.255  10.10.20.0 0.0.0.255

              !

              ip access-list extended VPN-50-vpn-selectors(Peer to Site C)

                permit ip 10.10.20.0 0.0.0.255  172.18.12.0 0.0.0.255  

                permit ip 10.10.10.0 0.0.0.255  172.18.12.0 0.0.0.255

                permit ip 10.10.10.0 0.0.0.255  10.10.13.0 0.0.0.255  

                permit ip 10.10.20.0 0.0.0.255  10.10.13.0 0.0.0.255    

                permit ip host wan.wan.wan.wan  172.18.12.0 0.0.0.255  

                permit ip host wan.wan.wan.wan  10.10.13.0 0.0.0.255  

                permit ip 10.10.20.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip 10.10.10.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip host wan.wan.wan.wan  host wan.wan.wan.wan     

                permit ip 172.18.12.0 0.0.0.255  10.10.20.0 0.0.0.255  

                permit ip 172.18.12.0 0.0.0.255  10.10.10.0 0.0.0.255  

                permit ip 10.10.13.0 0.0.0.255  10.10.10.0 0.0.0.255

                permit ip 10.10.13.0 0.0.0.255  10.10.20.0 0.0.0.255

               

               

               

               

              Site B Configuration:

              ip access-list extended VPN-20-vpn-selectors(Peer to Site A)

                permit ip 10.10.11.0 0.0.0.255  10.10.10.0 0.0.0.255  

                permit ip 10.10.21.0 0.0.0.255  10.10.10.0 0.0.0.255     

                permit ip 10.10.21.0 0.0.0.255  10.10.20.0 0.0.0.255  

                permit ip 10.10.11.0 0.0.0.255  10.10.20.0 0.0.0.255    

                permit ip 10.10.21.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip 10.10.11.0 0.0.0.255  host wan.wan.wan.wan  

                permit ip host wan.wan.wan.wan  10.10.10.0 0.0.0.255  

                permit ip host wan.wan.wan.wan  host wan.wan.wan.wan 

                permit ip host wan.wan.wan.wan  10.10.20.0 0.0.0.255