Unable to reach IP tunnel destination traffic from IOS

Unanswered Question
Feb 17th, 2009
User Badges:

Hi,


It's my 1st post so here goes.


I am trying to setup a Cisco 877 router as a DNS Server. The same router has a Site to Site Tunnel setup and working between it and our main office located behind a Cisco PIX 515E.


877 (192.168.104.x) -> PIX (192.168.1.x)


I have enabled


IP DNS Server

IP name-server 192.168.1.242 192.168.1.245



Basically assigning my private DNS servers way does not work. I can ping the private DNS Servers from any PC at either end of the tunnel (192.168.104.x & 192.168.1.x). However I cannot ping the Private DNS Server IP addresses or anything at 192.168.1.x from IOS at the remote side.


Cut a long story short, there is a perfectly good reason I am trying to use my private DNS Servers as Name servers, but I cannot figure out why I cannot ping the devices or anything else at the end of the tunnel from the router itself.


Is it because the traffic is originating from the Dialer interface, and not VLAN1?


I have attached a sample copy of my config, hopefully somebody can advise where I'm going wrong!


Many Thanks,


Kevin



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 02/17/2009 - 14:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Yes it would be because the ping traffic has a source address of the router interface. The access list 102 which identifies traffic to go through the VPN tunnel specifies only traffic from the LAN addresses. One solution might be to use extended ping in which you can specify the ping source address as the LAN interface. The other solution would be to add permits into access list 102 for ping sourced from the router interface to the servers addresses.


HTH


Rick

kgreenway Tue, 02/17/2009 - 14:49
User Badges:

Hi Rick,


Thanks for the quick answer.


I added the following


access-list 102 permit ip any 192.168.1.0 0.0.0.255


Which unfortunately pulled the whole tunnel, so I guess I misunderstood your instructions!


Where did I go wrong?


Thanks,


Kevin



Richard Burts Tue, 02/17/2009 - 15:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Using the keyword any in an access list to identify VPN traffic is dangerous (as you discovered the hard way). My suggestion would be to remove the line you added that permited any source and replace it with a line that permits the source being the outside interface of the router and the destination being the remote subnet.


HTH


Rick

kgreenway Tue, 02/17/2009 - 15:17
User Badges:

Rick,


Do you have an example of the command/type of access list I could use? I thought using an extended access list it is only possible to specify source as any/host/x.x.x.x, and not by interface?


Sorry I'm still finding my way with IOS.

Richard Burts Tue, 02/17/2009 - 20:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


It is somewhat more complicated since the dialer interface learns its address dynamically. If it were a fixed address it would be simply:

access-list 102 permit ip host 192.168.1.0 0.0.0.255


but since it learns its address dynamically it might look something like this:

access-list 102 permit ip 192.168.1.0 0.0.0.255


This should work, but given the additional complexity of doing it this way, I wonder how important it is to ping from the router rather than from an inside host, or whether an extended ping specifying the source address as the address of vlan 1 would be good enough.


HTH


Rick

Actions

This Discussion