cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
445
Views
0
Helpful
3
Replies

VPN Tunnel problem | outside interface has private IP

m.samouka
Level 1
Level 1

Hi all,

I don't know if this is a wired case or not!

When our ISP provide us with an Internet connection our Real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.

The problem here comes when i'm trying to configure a VPN tunnel to another Router.

Every thing in the configuration is smooth except the part where i set that the Serial interface is my outside.

The tunnel is always down coz the IP address will be my Private (serial interface) while the configuration on the peer router is my public IP.

So i'm woundering is there a way that i can force the VPN tunnel to take the IP configured on the LAN side? Or any other work around?

Building configuration...

Current configuration : 2372 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot system flash c1841-advsecurityk9-mz.124-23.bin

boot-end-marker

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ************ address 144.254.x.y

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to144.254.x.y

set peer 144.254.x.y

set transform-set ESP-3DES-SHA

match address VPN_Traffic

!

!

!

interface FastEthernet0/0

ip address 10.55.218.1 255.255.255.0 secondary (My Internal Subnet)

ip address 196.219.a.b 255.255.255.224 (My Public IP)

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type q933a

!

interface Serial0/0/0.16 point-to-point

ip address 172.16.133.2 255.255.255.252

ip nat outside

ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 16

crypto map SDM_CMAP_1

!

interface Serial0/0/1

no ip address

encapsulation frame-relay IETF

ignore dcd

frame-relay lmi-type q933a

!

interface Serial0/0/1.16 point-to-point

ip address 172.16.134.2 255.255.255.252

ip nat outside

ip virtual-reassembly

snmp trap link-status

frame-relay interface-dlci 16

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0/1.16

ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16

!

ip access-list extended VPN_Traffic

remark Protect traffic from Local subnet to any Destination

remark SDM_ACL Category=4

permit ip 10.55.218.0 0.0.0.255 any

!

scheduler allocate 20000 1000

end

1 Accepted Solution

Accepted Solutions

network
Level 1
Level 1

This should do the trick.

crypto map SDM_CMAP_1 local-address FastEthernet0/0

Cheers

View solution in original post

3 Replies 3

bjames
Level 5
Level 5

Why do you have your internal LAN and Public IP on the same interface? Move the 10.55.218.1 255.255.255.0 network to FA0/1 (not being used).

You might also want to tighten up the ACL for VPN traffic.

Good Luck

auraza
Cisco Employee
Cisco Employee

Assign the public IP to a loopback interface, as long as your ISP is pointing to your serial interface for the public IP, that should work.

Then add the following command:

crypto map SDM_CMAP_1 local-address loopback0

Change loopback0 to the interface that you created and assigned the public IP to. Let me know if that works.

network
Level 1
Level 1

This should do the trick.

crypto map SDM_CMAP_1 local-address FastEthernet0/0

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: