VPN Tunnel problem | outside interface has private IP

Answered Question
Jun 11th, 2009

Hi all,

I don't know if this is a wired case or not!

When our ISP provide us with an Internet connection our Real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.

The problem here comes when i'm trying to configure a VPN tunnel to another Router.

Every thing in the configuration is smooth except the part where i set that the Serial interface is my outside.

The tunnel is always down coz the IP address will be my Private (serial interface) while the configuration on the peer router is my public IP.

So i'm woundering is there a way that i can force the VPN tunnel to take the IP configured on the LAN side? Or any other work around?

Building configuration...

Current configuration : 2372 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot system flash c1841-advsecurityk9-mz.124-23.bin

boot-end-marker

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ************ address 144.254.x.y

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to144.254.x.y

set peer 144.254.x.y

set transform-set ESP-3DES-SHA

match address VPN_Traffic

!

!

!

interface FastEthernet0/0

ip address 10.55.218.1 255.255.255.0 secondary (My Internal Subnet)

ip address 196.219.a.b 255.255.255.224 (My Public IP)

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type q933a

!

interface Serial0/0/0.16 point-to-point

ip address 172.16.133.2 255.255.255.252

ip nat outside

ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 16

crypto map SDM_CMAP_1

!

interface Serial0/0/1

no ip address

encapsulation frame-relay IETF

ignore dcd

frame-relay lmi-type q933a

!

interface Serial0/0/1.16 point-to-point

ip address 172.16.134.2 255.255.255.252

ip nat outside

ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 16

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0/1.16

ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16

!

ip access-list extended VPN_Traffic

remark Protect traffic from Local subnet to any Destination

remark SDM_ACL Category=4

permit ip 10.55.218.0 0.0.0.255 any

!

scheduler allocate 20000 1000

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
auraza Fri, 06/12/2009 - 18:56

Assign the public IP to a loopback interface, as long as your ISP is pointing to your serial interface for the public IP, that should work.

Then add the following command:

crypto map SDM_CMAP_1 local-address loopback0

Change loopback0 to the interface that you created and assigned the public IP to. Let me know if that works.

Actions

This Discussion