02-22-2007 11:43 AM - edited 02-21-2020 02:53 PM
MY issue is that when the vpn is configured, and i try running a tracert to one of my remote pcs on the other side of the VPN, the VPN router is sending the the information to the internet and not attempting to open the tunnel. what am i doing wrong???
i'm using a cisco 1700 router and connecting to a cisco 3030 vpn concentrator
Current configuration : 1522 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
crypto isakmp policy 9
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key (Shared Key) address (IP ADDRESS of peer)
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer (IP ADDRESS of peer)
set transform-set TS1
match address 101
!
!
!
interface Ethernet0
ip address (IP ADDRESS)
ip nat outside
half-duplex
crypto map crypmap
!
interface FastEthernet0
ip address (IP ADDRESS)
ip nat inside
speed auto
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 (Default router)
no ip http server
no ip http secure-server
!
!
access-list 1 permit any
access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 1)
access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 2)
access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 3)
access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 4)
!
!
line con 0
line aux 0
line vty 0 4
password 7 PASSWORD
login
!
end
Solved! Go to Solution.
02-22-2007 10:24 PM
Hi Jim
You need to modify the access-list statement also the nat overload statement..
you need to deny the traffic between the 2 vpn networks getting natted..
you can verify the below link configuring up the same..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
regds
02-22-2007 10:24 PM
Hi Jim
You need to modify the access-list statement also the nat overload statement..
you need to deny the traffic between the 2 vpn networks getting natted..
you can verify the below link configuring up the same..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
regds
02-23-2007 06:20 AM
I'v added the route map and configured to like the sample in the link provided(at lest to the best of my knowledge)and the router is still routing the information to the internet and not attempting to open the tunnel(pardon me if it is a obvious answer im quite a novice at routers)
Current configuration : 1563 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret ****
enable password ***
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
!
crypto isakmp policy 9
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key (KEY) address (PEER IP)
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
!
crypto map map 1 ipsec-isakmp
set peer 209.*.*.230
set transform-set TS1
match address 101
!
!
!
interface Ethernet0
ip address (IP) 255.255.255.240
ip nat outside
half-duplex
crypto map map
!
interface FastEthernet0
ip address 192.168.230.52 255.255.255.0
ip nat inside
speed auto
!
ip nat inside source route-map nat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 (GATEWAY)
no ip http server
no ip http secure-server
!
!
a
access-list 101 permit ip host 192.168.230.21 host (remote ip 1)
access-list 101 permit ip host 192.168.230.21 host (remote ip 2)
access-list 101 permit ip host 192.168.230.21 host (remote ip 3)
access-list 101 permit ip host 192.168.230.21 host (remote ip 4)
access-list 111 permit ip any host (remote ip 1)
access-list 111 permit ip any host (remote ip 2)
access-list 111 permit ip any host (remote ip 3)
access-list 111 permit ip any host (remote ip 4)
!
route-map nat permit 10
match ip address 111
!
!
line con 0
line aux 0
line vty 0 4
password ***
login
!
end
02-23-2007 06:36 AM
I think it should be route-map nonat
02-23-2007 06:51 AM
Im sorry, i did it wrong it did solve my issue. thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: