07-30-2009 06:37 AM - edited 02-21-2020 03:36 AM
Hello,
I would like to please you to help with resoulve I hope simple problem :-)
between 2 routers ( Cisco 1812 with 12.4 ) I made a ipsec tunnel trough Internet.
This tunnel works well. So, UI have a problem with acces from one router to network on other side of tunnel.
it's lokk like this
<subnet1>--<router1>--internet--<router2>--<subnet2>
When I try to ping from router1 host in subnet2 I give timeout. When I use ping with source option it works.
This is big problem form me because I have to set on router1 internal DNS which are inside of subnet2 but I can't reach them from router.
So please tell me how I can set default source IP for router to use when connection is made by tunnel?
Additional information,
When I try to ping from host in subnet2 to router1 ( internal interface ) - it works !!
The problems are only when connections are initate from router...
my configuration is similar like this one:
ip source-route
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address <internet ip>
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet6
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
ip address <internal IP> <subnet>
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <internet gw>
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended toInternet
remark dostep do internetu
remark SDM_ACL Category=2
remark IPSec Rule
deny ip <subnet2> <subnet1>
permit ip <subnet2> any
!
access-list 23 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip <subnet2> <subnet1>
no cdp run
thanks for help
Marcin
07-30-2009 01:18 PM
When you ping, it leaves the outside interface, so your trying to ping a private address on the internet, which of course will never work. From a wokstation in Site A can you access all resources in Site B? Add host entries if you need to rely on names.
07-31-2009 01:02 AM
of course, the tunnel works well.
all workstations from one side of tunnel can reach computers from second side of tunnel.
The problem is only when I try reach servers in Site B from router Side A.
As I wrote, I have internal DNS, WINS etc... in Site A. Router in Site B should use them to resolve names for workstation in Site B.
Of course when I use on workstations from Site B DNS and Wins from Site A all works well, too.
What do you mean:
Add host entries if you need to rely on names.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: