Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wav22
New Contributor
‎08-23-2016 08:56 PM

VPN Problem

3 Sites:

Site A: 10.10.10.0/24 VLAN 10 (Data) & 10.10.20.0/24 VLAN 20(Voice) - NetVanta 3448 Firewall & NetVanta 7100

Site B: 10.10.11.0/24 VLAN 11 (Data) & 10.10.21.0/24 VLAN 21(Voice) - NetVanta 7100 (Acting as both Firewall & Phone System).

Site C: 10.10.13.0/24 - Non Adtran equipment.

Sites A & B have a working VPN with dial peers to each other for internal voice calling. Site C was introduced to topology later and added to VPN of Site A so that 3 Adtran IP phones could function remotely. This was completed successfully with the Site C phones properly registering to the Site A phone system and able to place/receive calls.

My problem is that while the phones at Site C can communicate perfectly with those at Site A, they couldn't dial to Site B and vice versa. I figured I must have missed creating some rules in the VPN peers for proper routing of the various subnets. However, when I attempted to build these rules on each device I broke something at Site B, creating some sort of conflict an that network.  I reverted back to the working configuration but I am still left without proper routing between Sites B & C.

Can someone please provide the proper rules for this? CLI or GUI, it doesn't matter. I would really appreciate the help as I just cant figure it out.

Thank you

Labels (2)
Labels
0 Kudos
Reply
6 Replies
michael56
New Contributor III
‎08-25-2016 09:38 AM

Re: VPN Problem

You probably need to add the Site C: 10.10.13.0/24 block to your permitted ACL's in bothe site B and site B's block to site C for communication between VLANs

0 Kudos
Accept as Solution Reply
wav22
New Contributor
‎08-25-2016 10:36 AM

Re: VPN Problem

Thanks, Michael56. But I was hoping for more of a walk through.  I attempted this already and screwed it up.  There may also be unnecessary rules here confusing me which would be helpful to know also.  Here is my configuration for Site A & B::

Site A Configuration:

ip access-list extended VPN-30-vpn-selectors(Peer to Site B)

  permit ip 10.10.10.0 0.0.0.255  10.10.11.0 0.0.0.255  

  permit ip 10.10.20.0 0.0.0.255  10.10.11.0 0.0.0.255  

  permit ip 10.10.10.0 0.0.0.255  10.10.21.0 0.0.0.255  

  permit ip 10.10.20.0 0.0.0.255  10.10.21.0 0.0.0.255     

  permit ip host wan.wan.wan.wan  10.10.21.0 0.0.0.255     

  permit ip host wan.wan.wan.wan  10.10.11.0 0.0.0.255  

  permit ip 10.10.10.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip 10.10.20.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip host wan.wan.wan.wan  host wan.wan.wan.wan  

  permit ip 10.10.11.0 0.0.0.255  10.10.10.0 0.0.0.255

  permit ip 10.10.21.0 0.0.0.255  10.10.10.0 0.0.0.255

  permit ip 10.10.11.0 0.0.0.255  10.10.20.0 0.0.0.255

  permit ip 10.10.21.0 0.0.0.255  10.10.20.0 0.0.0.255

!

ip access-list extended VPN-50-vpn-selectors(Peer to Site C)

  permit ip 10.10.20.0 0.0.0.255  172.18.12.0 0.0.0.255  

  permit ip 10.10.10.0 0.0.0.255  172.18.12.0 0.0.0.255

  permit ip 10.10.10.0 0.0.0.255  10.10.13.0 0.0.0.255  

  permit ip 10.10.20.0 0.0.0.255  10.10.13.0 0.0.0.255    

  permit ip host wan.wan.wan.wan  172.18.12.0 0.0.0.255  

  permit ip host wan.wan.wan.wan  10.10.13.0 0.0.0.255  

  permit ip 10.10.20.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip 10.10.10.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip host wan.wan.wan.wan  host wan.wan.wan.wan     

  permit ip 172.18.12.0 0.0.0.255  10.10.20.0 0.0.0.255  

  permit ip 172.18.12.0 0.0.0.255  10.10.10.0 0.0.0.255  

  permit ip 10.10.13.0 0.0.0.255  10.10.10.0 0.0.0.255

  permit ip 10.10.13.0 0.0.0.255  10.10.20.0 0.0.0.255

Site B Configuration:

ip access-list extended VPN-20-vpn-selectors(Peer to Site A)

  permit ip 10.10.11.0 0.0.0.255  10.10.10.0 0.0.0.255  

  permit ip 10.10.21.0 0.0.0.255  10.10.10.0 0.0.0.255     

  permit ip 10.10.21.0 0.0.0.255  10.10.20.0 0.0.0.255  

  permit ip 10.10.11.0 0.0.0.255  10.10.20.0 0.0.0.255    

  permit ip 10.10.21.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip 10.10.11.0 0.0.0.255  host wan.wan.wan.wan  

  permit ip host wan.wan.wan.wan  10.10.10.0 0.0.0.255  

  permit ip host wan.wan.wan.wan  host wan.wan.wan.wan 

  permit ip host wan.wan.wan.wan  10.10.20.0 0.0.0.255

0 Kudos
Accept as Solution Reply
michael56
New Contributor III
‎08-25-2016 02:31 PM

Re: VPN Problem

I still don't see your 10.10.13.0/24 in your site "B" acl, only in your site "A", so you're not going to be able to talk from B-C or C-B until you add those lines. in sites B and C devices.

0 Kudos
Accept as Solution Reply
wav22
New Contributor
‎08-25-2016 02:46 PM

Re: VPN Problem

Michael56 I only provided the existing configuration without any changes.  I'm not sure where the rules need to go and in which order?  Is this what I need to add:

Site B Configuration:

ip access-list extended VPN-20-vpn-selectors(Peer to Site A)

  permit ip 10.10.13.0 0.0.0.255  10.10.11.0 0.0.0.255 

Do I need to add anything to the config of Peer to Site C?

0 Kudos
Accept as Solution Reply
michael56
New Contributor III
‎08-26-2016 08:34 AM

Re: VPN Problem

You’ll want to add both the following line to the same acl(s) on A and B and C sites if you want them all to talk to each other:

permit ip 10.10.13.0 0.0.0.255 10.10.11.0 0.0.0.255

permit ip 10.10.11.0 0.0.0.255 10.10.13.0 0.0.0.255

Thank you,

Michael Hahn

Managed Office Operations CPE-Provisioning

6000 Parkwood

Dublin, Oh. 43016

Direct: 614-943-7644

michael.hahn@centurylink.com

[thinkgig-logo-social-sig]<http://www.thinkgig.com/> <http://www.linkedin.com/groups/CenturyLink-Channel-Alliance-4036288/about> <https://twitter.com/centurylinkca> <http://www.youtube.com/centurylinkbusiness>

0 Kudos
Accept as Solution Reply
wav22
New Contributor
‎08-26-2016 08:46 AM

Re: VPN Problem

Hey Michael,  I don’t think you meant to put your signature in the previous post.  Just FYI. 


I will test the config and get back to you.  Thanks again.

0 Kudos
Accept as Solution Reply