Problem with access subnet from router via ipsec tunnel site-to-site

Unanswered Question
Jul 30th, 2009
User Badges:


I would like to please you to help with resoulve I hope simple problem :-)

between 2 routers ( Cisco 1812 with 12.4 ) I made a ipsec tunnel trough Internet.

This tunnel works well. So, UI have a problem with acces from one router to network on other side of tunnel.

it's lokk like this


When I try to ping from router1 host in subnet2 I give timeout. When I use ping with source option it works.

This is big problem form me because I have to set on router1 internal DNS which are inside of subnet2 but I can't reach them from router.

So please tell me how I can set default source IP for router to use when connection is made by tunnel?

Additional information,

When I try to ping from host in subnet2 to router1 ( internal interface ) - it works !!

The problems are only when connections are initate from router...

my configuration is similar like this one:

ip source-route


ip cef


no ipv6 cef

multilink bundle-name authenticated


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toxxx

set peer xx.xx.xx.xx

set transform-set ESP-3DES-SHA

match address 100




interface FastEthernet0

description $ETH-WAN$

ip address <internet ip>

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1


interface FastEthernet6

interface Vlan1


ip address <internal IP> <subnet>

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache


ip forward-protocol nd

ip route <internet gw>

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload


ip access-list extended toInternet

remark dostep do internetu

remark SDM_ACL Category=2

remark IPSec Rule

deny ip <subnet2> <subnet1>

permit ip <subnet2> any


access-list 23 permit any

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip <subnet2> <subnet1>

no cdp run

thanks for help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 07/30/2009 - 13:18
User Badges:
  • Purple, 4500 points or more

When you ping, it leaves the outside interface, so your trying to ping a private address on the internet, which of course will never work. From a wokstation in Site A can you access all resources in Site B? Add host entries if you need to rely on names.

m.przybylek Fri, 07/31/2009 - 01:02
User Badges:

of course, the tunnel works well.

all workstations from one side of tunnel can reach computers from second side of tunnel.

The problem is only when I try reach servers in Site B from router Side A.

As I wrote, I have internal DNS, WINS etc... in Site A. Router in Site B should use them to resolve names for workstation in Site B.

Of course when I use on workstations from Site B DNS and Wins from Site A all works well, too.

What do you mean:

Add host entries if you need to rely on names.


This Discussion