07-30-2009 06:37 AM - edited 02-21-2020 03:36 AM
Hello,
I would like to please you to help with resoulve I hope simple problem :-)
between 2 routers ( Cisco 1812 with 12.4 ) I made a ipsec tunnel trough Internet.
This tunnel works well. So, UI have a problem with acces from one router to network on other side of tunnel.
it's lokk like this
<subnet1>--<router1>--internet--<router2>--<subnet2>
When I try to ping from router1 host in subnet2 I give timeout. When I use ping with source option it works.
This is big problem form me because I have to set on router1 internal DNS which are inside of subnet2 but I can't reach them from router.
So please tell me how I can set default source IP for router to use when connection is made by tunnel?
Additional information,
When I try to ping from host in subnet2 to router1 ( internal interface ) - it works !!
The problems are only when connections are initate from router...
my configuration is similar like this one:
ip source-route
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address <internet ip>
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet6
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
ip address <internal IP> <subnet>
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <internet gw>
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended toInternet
remark dostep do internetu
remark SDM_ACL Category=2
remark IPSec Rule
deny ip <subnet2> <subnet1>
permit ip <subnet2> any
!
access-list 23 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip <subnet2> <subnet1>
no cdp run
thanks for help
Marcin
07-30-2009 01:18 PM
When you ping, it leaves the outside interface, so your trying to ping a private address on the internet, which of course will never work. From a wokstation in Site A can you access all resources in Site B? Add host entries if you need to rely on names.
07-31-2009 01:02 AM
of course, the tunnel works well.
all workstations from one side of tunnel can reach computers from second side of tunnel.
The problem is only when I try reach servers in Site B from router Side A.
As I wrote, I have internal DNS, WINS etc... in Site A. Router in Site B should use them to resolve names for workstation in Site B.
Of course when I use on workstations from Site B DNS and Wins from Site A all works well, too.
What do you mean:
Add host entries if you need to rely on names.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide