Site to Site with split tunnel issue

Answered Question

I can not get spilt tunnel to work on my production router

config:

int serial 0/0/0

desc external

ip add x.x.x.x x.x.x.x.x

ip nat outside

ip virtual-reassembly

crypto map ipsec-map

int fast 0/0

desc internal

ip add y.y.y.y y.y.y.y

ip nat inside

ip virtual-reassembly

ip nat source inside list 101 interface serial 0/0/0 overload

Nat acl

access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.255.255 log

access-list 101 permit ip 192.168.2.0 0.0.0.255 any log

crypto map acl

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.255.255 log

I can only get one or the other to work but not together.

Your thoughts are much appreciated. I have read about the order of operations with NAT, but still not dice.

Steve

I have this problem too.
0 votes
Correct Answer by andrewnewell about 9 years 8 months ago

Hi Steve,

I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.

ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload

route-map nonat permit 10

match ip address 101

!

hope it works for you

thanks

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kamal Malhotra Fri, 04/06/2007 - 09:44

Hi Steve,

what do you mean by split-tunnel? It looks like a L2L tunnel.

Please confirm.

Correct Answer
andrewnewell Fri, 04/06/2007 - 18:23

Hi Steve,

I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.

ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload

route-map nonat permit 10

match ip address 101

!

hope it works for you

thanks

Andrew

Hi Andrew,

My boss added the route-map statement after reading and troubleshototing.

Although I was able to get this working in the lab enviromnet with the "ip nat inside source list " but in producation it didn't. not sure if it had soemthing to do with fast ethernet interfaces or serial interfaces, I don't think so.

at any rate you would have hit the nail on the head had this not been resolved prior to thursday.

Thanks all for responding.

Steve

Actions

This Discussion