Routing traffic out of the source interface which is also IPsec crypto-map interface

Unanswered Question
Feb 3rd, 2010

Hi


(see below image) I'm trying to establish correct routing from my company towards some machines at a clients site. The LAN-2-LAN tunnel gets established from xxx.244.260.176 towards mycompany router at the clients' site on the other end nnn.211.0.54. My servers in segment interesting traffic A is reachable. However servers in segment B are not.

Routing should be as far as I know, as follows:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route nnn.211.0.0 255.255.0.0 nnn.211.0.53
ip route 192.168.56.0 255.255.255.0 FastEthernet0/0
ip route 192.168.57.0 255.255.255.0 FastEthernet0/0
ip route 192.168.58.0 255.255.255.0 FastEthernet0/0
ip route 192.168.60.0 255.255.255.0 nnn.211.0.53


Currently we connect to the servers via a fiber connection that is to be dismantled shortly, it is connected via interface FastEthernet0/0. In this setup segment B is reachable.


Simple 1.jpg


I hope you can help me, I think I've tried everything, am I overlooking something?


Thanks in advance!


With kind regards, Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/04/2010 - 04:42

[email protected]


Hi


(see below image) I'm trying to establish correct routing from my company towards some machines at a clients site. The LAN-2-LAN tunnel gets established from xxx.244.260.176 towards mycompany router at the clients' site on the other end nnn.211.0.54. My servers in segment interesting traffic A is reachable. However servers in segment B are not.

Routing should be as far as I know, as follows:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route nnn.211.0.0 255.255.0.0 nnn.211.0.53
ip route 192.168.56.0 255.255.255.0 FastEthernet0/0
ip route 192.168.57.0 255.255.255.0 FastEthernet0/0
ip route 192.168.58.0 255.255.255.0 FastEthernet0/0
ip route 192.168.60.0 255.255.255.0 nnn.211.0.53


Currently we connect to the servers via a fiber connection that is to be dismantled shortly, it is connected via interface FastEthernet0/0. In this setup segment B is reachable.



I hope you can help me, I think I've tried everything, am I overlooking something?


Thanks in advance!


With kind regards, Tom


Tom


It's not entirely clear what your'e problem is.


Do you want to use the VPN tunnel to get to site B ie. 192.168.60.0 or do you just want to route traffic direct.


If you want to route traffic direct then does it need to be in an IPSEC tunnel or not ?


There is no reason why you cannot send 192.168.56/57/58 traffic down the IPSEC tunnel and then 192.168.60.0 traffic not down the tunnel. This is nothing to do with routing and is to do with the crypto map access-lists.


Perhaps you clarify exactly what the problem is ?


Jon

Tom Teunissen Thu, 02/04/2010 - 09:39

Hi,


Of course I'll try to explain:


My company manages several servers in interesting traffic segment A and B at the client site. These should be reachable from my company. Our management servers like HPOV and CiscoWorks are in the range xxx.28.206.0 /24 and management users, for setting up rdp sessions or https ilo/drac sessions, receive a PAT address xxx.28.206.254. All traffic is being tunneled between our site and the customers' site.


!!! The cloud is not a WAN cloud but the internet, thus VPN/L2L tunnel is required !!!


The tunnel itself works; I can connect to segment A, but when routed back towards the source interface all fails.

I have an access-list on the interface loggingonly permits, so the packets are sent.

A trace shows only next hop nnn.211.0.53.

Ping from the nnn.211.0.54 router towards nnn.211.4.85 is successful.

However, this address doen't show in the ARP table.


... :'(


Regards, Tom

Actions

This Discussion