Problem with access subnet from router via ipsec tunnel site-to-site

m.przybylek · ‎07-30-2009

Hello,

I would like to please you to help with resoulve I hope simple problem :-)

between 2 routers ( Cisco 1812 with 12.4 ) I made a ipsec tunnel trough Internet.

This tunnel works well. So, UI have a problem with acces from one router to network on other side of tunnel.

it's lokk like this

<subnet1>--<router1>--internet--<router2>--<subnet2>

When I try to ping from router1 host in subnet2 I give timeout. When I use ping with source option it works.

This is big problem form me because I have to set on router1 internal DNS which are inside of subnet2 but I can't reach them from router.

So please tell me how I can set default source IP for router to use when connection is made by tunnel?

Additional information,

When I try to ping from host in subnet2 to router1 ( internal interface ) - it works !!

The problems are only when connections are initate from router...

my configuration is similar like this one:

ip source-route

!

ip cef

!

no ipv6 cef

multilink bundle-name authenticated

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toxxx

set peer xx.xx.xx.xx

set transform-set ESP-3DES-SHA

match address 100

!

interface FastEthernet0

description $ETH-WAN$

ip address <internet ip>

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet6

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$

ip address <internal IP> <subnet>

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 <internet gw>

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended toInternet

remark dostep do internetu

remark SDM_ACL Category=2

remark IPSec Rule

deny ip <subnet2> <subnet1>

permit ip <subnet2> any

!

access-list 23 permit any

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip <subnet2> <subnet1>

no cdp run

thanks for help

Marcin

Collin Clark · ‎07-30-2009

When you ping, it leaves the outside interface, so your trying to ping a private address on the internet, which of course will never work. From a wokstation in Site A can you access all resources in Site B? Add host entries if you need to rely on names.

m.przybylek · ‎07-31-2009

of course, the tunnel works well.

all workstations from one side of tunnel can reach computers from second side of tunnel.

The problem is only when I try reach servers in Site B from router Side A.

As I wrote, I have internal DNS, WINS etc... in Site A. Router in Site B should use them to resolve names for workstation in Site B.

Of course when I use on workstations from Site B DNS and Wins from Site A all works well, too.

What do you mean:

Add host entries if you need to rely on names.