**** Router B - 2811 **** "flash:c2800nm-advsecurityk9-mz.124-25a.bin" THis is the router where the host 10.200.1.43 resides. Traceroute on this host says traffic is going via tunnel2 but the router says it is going via tunnel 1 interface Tunnel1 ip address 10.254.0.14 255.255.255.252 ip mtu 1400 ip ospf cost 50 ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination 10.0.0.98 -----> this tunnel goes via a firewall, hence the private IP ! interface Tunnel2 ip address 10.254.0.18 255.255.255.252 ip mtu 1400 ip wccp 62 redirect in ip tcp adjust-mss 1400 ip ospf cost 100 ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination ** Public IP ** tunnel protection ipsec profile GRE_AES256 interface FastEthernet0/0 description *** Local LAN ***$FW_INSIDE$ ip address 10.200.1.1 255.255.255.0 ip wccp 61 redirect in ip nat inside ip virtual-reassembly ip route-cache flow ip policy route-map FE00 duplex auto speed auto service-policy input QoS-INPUT route-map FE00 permit 10 match ip address DUBTUN2 set ip next-hop 10.254.0.17 ! route-map FE00 permit 20 match ip address BORTUN3 set ip next-hop 10.254.210.10 ! route-map FE00 permit 30 match ip address CARTUN1 set ip next-hop 10.254.212.2 #sh access-list DUBTUN2 Extended IP access list DUBTUN2 10 permit ip host 10.200.1.43 10.0.0.0 0.0.0.255 (691955 matches) ********** ROUTER A - 2811 ************** "flash:c2800nm-advsecurityk9-mz.124-20.T3.bin" ! interface Tunnel1 ip address 10.254.0.13 255.255.255.252 ip mtu 1400 ip ospf cost 50 ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination 10.200.1.1 ! interface Tunnel2 ip address 10.254.0.17 255.255.255.252 ip mtu 1400 ip wccp 62 redirect in ip tcp adjust-mss 1400 ip ospf cost 100 ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination ** public ip ** tunnel protection ipsec profile GRE_AES256 interface FastEthernet0/0 description Main Lan$FW_INSIDE$ ip address 10.0.0.98 255.255.255.0 ip wccp 61 redirect in ip inspect URLFILTER in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1270 ip policy route-map LAN duplex auto speed auto service-policy input QoS-INPUT Ocuco#sh route-map LAN route-map LAN, permit, sequence 10 Match clauses: ip address (access-lists): ODCTUN2 Set clauses: ip next-hop 10.254.0.18 Policy routing matches: 117260 packets, 22846256 bytes route-map LAN, permit, sequence 20 Match clauses: ip address (access-lists): IBB-NAT Set clauses: ip next-hop 87.192.12.1 Policy routing matches: 32173864 packets, 1190234529 bytes route-map LAN, permit, sequence 30 Match clauses: ip address (access-lists): CARTUN1 Set clauses: ip next-hop 10.254.212.6 Policy routing matches: 64108 packets, 21175687 bytes #sh access-list ODCTUN2 Extended IP access list ODCTUN2 10 permit ip host 10.0.0.10 host 10.200.1.20 (113657 matches) #sh ip route 10.200.1.43 Routing entry for 10.200.1.43/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.254.0.18 Route metric is 0, traffic share count is 1