09-12-2008 02:42 AM - edited 02-21-2020 03:56 PM
Hi, I have stablished an VPN tunnel site to site with a cisco 871 to a cisco 2800. Everithing is right and working. So, what's the problem ? Let's see:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Numintel
set peer 213.192.208.242
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.12.229.218 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 192.169.15.100 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.12.229.217
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark local
access-list 1 permit 192.169.15.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
The thing is that when I apply the local access list, lo let the 192.169.15.0 hosts access the internet, I can't reach the other end of the tunnel. ( Say ping to 192.168.3.35 ). When I disable the local access list : access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel from any of the hosts at 192.169.15.0, but I don't have internet access. Can somebody explain what is happening and how to solve it ? Thank you.
Solved! Go to Solution.
09-12-2008 05:09 AM
Hi,
You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.169.15.0 0.0.0.255 any
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpul posts
09-12-2008 05:09 AM
Hi,
You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.169.15.0 0.0.0.255 any
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpul posts
09-12-2008 05:33 AM
I'm not understanding you much. You meant I have to change the access-list 100 for this new one and apply it to the cryto map ? Or add it as new ?
09-12-2008 05:34 AM
No it is to replace access-list 1 .
you will have to do change in following statement also:
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpful posts
09-14-2008 11:41 PM
Thank you now I understand what happens when you do this kind of VPN.
09-12-2008 06:38 AM
Why do you PAT all outbound encrypted & unencrypted traffic?
Try using a route-map in your nat overload statement and exclude the 192.168.3.0 and 192.168.4.0 networks.
Create an access-list 110 which denies those two networks and permit everything else
route-map permit 10
match address 110
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide