09-12-2008 02:42 AM - edited 02-21-2020 03:56 PM
Hi, I have stablished an VPN tunnel site to site with a cisco 871 to a cisco 2800. Everithing is right and working. So, what's the problem ? Let's see:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Numintel
set peer 213.192.208.242
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.12.229.218 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 192.169.15.100 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.12.229.217
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark local
access-list 1 permit 192.169.15.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
The thing is that when I apply the local access list, lo let the 192.169.15.0 hosts access the internet, I can't reach the other end of the tunnel. ( Say ping to 192.168.3.35 ). When I disable the local access list : access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel from any of the hosts at 192.169.15.0, but I don't have internet access. Can somebody explain what is happening and how to solve it ? Thank you.
Solved! Go to Solution.
09-12-2008 05:09 AM
Hi,
You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.169.15.0 0.0.0.255 any
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpul posts
09-12-2008 05:09 AM
Hi,
You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.169.15.0 0.0.0.255 any
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpul posts
09-12-2008 05:33 AM
I'm not understanding you much. You meant I have to change the access-list 100 for this new one and apply it to the cryto map ? Or add it as new ?
09-12-2008 05:34 AM
No it is to replace access-list 1 .
you will have to do change in following statement also:
ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpful posts
09-14-2008 11:41 PM
Thank you now I understand what happens when you do this kind of VPN.
09-12-2008 06:38 AM
Why do you PAT all outbound encrypted & unencrypted traffic?
Try using a route-map in your nat overload statement and exclude the 192.168.3.0 and 192.168.4.0 networks.
Create an access-list 110 which denies those two networks and permit everything else
route-map permit 10
match address 110
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: