cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
0
Helpful
5
Replies

Unable to reach IP tunnel destination traffic from IOS

kgreenway
Level 1
Level 1

Hi,

It's my 1st post so here goes.

I am trying to setup a Cisco 877 router as a DNS Server. The same router has a Site to Site Tunnel setup and working between it and our main office located behind a Cisco PIX 515E.

877 (192.168.104.x) -> PIX (192.168.1.x)

I have enabled

IP DNS Server

IP name-server 192.168.1.242 192.168.1.245

Basically assigning my private DNS servers way does not work. I can ping the private DNS Servers from any PC at either end of the tunnel (192.168.104.x & 192.168.1.x). However I cannot ping the Private DNS Server IP addresses or anything at 192.168.1.x from IOS at the remote side.

Cut a long story short, there is a perfectly good reason I am trying to use my private DNS Servers as Name servers, but I cannot figure out why I cannot ping the devices or anything else at the end of the tunnel from the router itself.

Is it because the traffic is originating from the Dialer interface, and not VLAN1?

I have attached a sample copy of my config, hopefully somebody can advise where I'm going wrong!

Many Thanks,

Kevin

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Kevin

Yes it would be because the ping traffic has a source address of the router interface. The access list 102 which identifies traffic to go through the VPN tunnel specifies only traffic from the LAN addresses. One solution might be to use extended ping in which you can specify the ping source address as the LAN interface. The other solution would be to add permits into access list 102 for ping sourced from the router interface to the servers addresses.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for the quick answer.

I added the following

access-list 102 permit ip any 192.168.1.0 0.0.0.255

Which unfortunately pulled the whole tunnel, so I guess I misunderstood your instructions!

Where did I go wrong?

Thanks,

Kevin

Kevin

Using the keyword any in an access list to identify VPN traffic is dangerous (as you discovered the hard way). My suggestion would be to remove the line you added that permited any source and replace it with a line that permits the source being the outside interface of the router and the destination being the remote subnet.

HTH

Rick

HTH

Rick

Rick,

Do you have an example of the command/type of access list I could use? I thought using an extended access list it is only possible to specify source as any/host/x.x.x.x, and not by interface?

Sorry I'm still finding my way with IOS.

Kevin

It is somewhat more complicated since the dialer interface learns its address dynamically. If it were a fixed address it would be simply:

access-list 102 permit ip host 192.168.1.0 0.0.0.255

but since it learns its address dynamically it might look something like this:

access-list 102 permit ip 192.168.1.0 0.0.0.255

This should work, but given the additional complexity of doing it this way, I wonder how important it is to ping from the router rather than from an inside host, or whether an extended ping specifying the source address as the address of vlan 1 would be good enough.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco