Site to Site with split tunnel issue

Answered Question

I can not get spilt tunnel to work on my production router


config:

int serial 0/0/0

desc external

ip add x.x.x.x x.x.x.x.x

ip nat outside

ip virtual-reassembly

crypto map ipsec-map


int fast 0/0

desc internal

ip add y.y.y.y y.y.y.y

ip nat inside

ip virtual-reassembly


ip nat source inside list 101 interface serial 0/0/0 overload


Nat acl

access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.255.255 log

access-list 101 permit ip 192.168.2.0 0.0.0.255 any log


crypto map acl

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.255.255 log


I can only get one or the other to work but not together.


Your thoughts are much appreciated. I have read about the order of operations with NAT, but still not dice.



Steve


Correct Answer by andrewnewell about 10 years 2 months ago


Hi Steve,


I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.



ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload



route-map nonat permit 10

match ip address 101

!




hope it works for you


thanks


Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kamal Malhotra Fri, 04/06/2007 - 09:44
User Badges:
  • Cisco Employee,

Hi Steve,


what do you mean by split-tunnel? It looks like a L2L tunnel.


Please confirm.


Correct Answer
andrewnewell Fri, 04/06/2007 - 18:23
User Badges:


Hi Steve,


I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.



ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload



route-map nonat permit 10

match ip address 101

!




hope it works for you


thanks


Andrew

Hi Andrew,


My boss added the route-map statement after reading and troubleshototing.



Although I was able to get this working in the lab enviromnet with the "ip nat inside source list " but in producation it didn't. not sure if it had soemthing to do with fast ethernet interfaces or serial interfaces, I don't think so.


at any rate you would have hit the nail on the head had this not been resolved prior to thursday.


Thanks all for responding.


Steve

Actions

This Discussion