Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
5
Replies

Site to Site with split tunnel issue

Go to solution
sjanke
Level 1
Level 1

‎04-02-2007 03:38 PM - edited ‎03-09-2019 05:43 PM

I can not get spilt tunnel to work on my production router

config:

int serial 0/0/0

desc external

ip add x.x.x.x x.x.x.x.x

ip nat outside

ip virtual-reassembly

crypto map ipsec-map

int fast 0/0

desc internal

ip add y.y.y.y y.y.y.y

ip nat inside

ip virtual-reassembly

ip nat source inside list 101 interface serial 0/0/0 overload

Nat acl

access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.255.255 log

access-list 101 permit ip 192.168.2.0 0.0.0.255 any log

crypto map acl

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.255.255 log

I can only get one or the other to work but not together.

Your thoughts are much appreciated. I have read about the order of operations with NAT, but still not dice.

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewnewell
Level 1
Level 1

‎04-06-2007 06:23 PM

Hi Steve,

I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.

ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload

route-map nonat permit 10

match ip address 101

!

hope it works for you

thanks

Andrew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎04-06-2007 09:44 AM

Hi Steve,

what do you mean by split-tunnel? It looks like a L2L tunnel.

Please confirm.

0 Helpful

Go to solution
sjanke
Level 1
Level 1
In response to Kamal Malhotra

‎04-07-2007 10:18 AM

It looks like L2L , but my understanding is that if i want to go spefiy as certain interesting traffic to go through the tunnel and everything else be Nat'd and out the internet. This referred to as split tunnel?!

If I am mistaking please correct me.

Steve

0 Helpful

Go to solution
andrewnewell
Level 1
Level 1

‎04-06-2007 06:23 PM

Hi Steve,

I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.

ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252

ip nat inside source route-map nonat pool 'name of pool' overload

route-map nonat permit 10

match ip address 101

!

hope it works for you

thanks

Andrew

0 Helpful

Go to solution
sjanke
Level 1
Level 1
In response to andrewnewell

‎04-07-2007 10:13 AM

Hi Andrew,

My boss added the route-map statement after reading and troubleshototing.

Although I was able to get this working in the lab enviromnet with the "ip nat inside source list " but in producation it didn't. not sure if it had soemthing to do with fast ethernet interfaces or serial interfaces, I don't think so.

at any rate you would have hit the nail on the head had this not been resolved prior to thursday.

Thanks all for responding.

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents