05-13-2009 01:13 AM - edited 03-06-2019 05:42 AM
Hi.
I have tunnel between 2 office, network services are working well. When I open the internet site, it does not work.
My config:
R1.
crypto isakmp policy 100
authentication pre-share
!
crypto isakmp key 123 address 10.10.255.2
!
crypto ipsec transform-set msk esp-aes esp-sha-hmac
!
crypto ipsec profile Pmsk
set transform-set msk
!
!
interface Tunnel1
ip address 10.10.254.1 255.255.255.252
ip mtu 1500
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1436
ip policy route-map sety
tunnel source Serial0/0/0
tunnel destination 10.10.255.2
tunnel protection ipsec profile Pmsk
!
interface Serial0/0/0
ip address 10.10.255.1 255.255.255.252
ip mask-reply
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map sety
!
ip route 10.10.128.0 255.255.252.0 10.10.254.2
!
ip access-list extended ForSety
deny ip host 10.10.10.41 any
deny tcp host 10.10.10.21 eq 3389 any
deny ip 10.10.101.0 0.0.0.255 any
deny ip host 10.10.10.8 any
deny ip host 10.10.10.253 any
deny ip 10.10.0.0 0.0.127.255 10.10.128.0 0.0.3.255
deny ip 10.10.0.0 0.0.127.255 10.10.132.0 0.0.3.255
deny ip 10.10.128.0 0.0.3.255 10.10.0.0 0.0.127.255
deny ip 10.10.128.0 0.0.3.255 10.10.132.0 0.0.3.255
deny ip 10.10.132.0 0.0.3.255 10.10.0.0 0.0.127.255
deny ip 10.10.132.0 0.0.3.255 10.10.128.0 0.0.3.255
permit ip 10.10.0.0 0.0.255.255 any
!
route-map sety permit 10
match ip address ForSety
set ip next-hop xxx.yyy.zzz.www
________________________________________________
R2
crypto isakmp policy 100
authentication pre-share
crypto isakmp key 123 address 10.10.255.1
!
!
crypto ipsec transform-set msk esp-aes esp-sha-hmac
!
crypto ipsec profile Pmsk
set transform-set msk
!
interface Tunnel1
ip address 10.10.254.2 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1436
tunnel source Serial0/1/0
tunnel destination 10.10.255.1
tunnel protection ipsec profile Pmsk
!
interface Serial0/1/0
ip address 10.10.255.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.10.254.1
You can help me resolve this problemm?
05-13-2009 01:59 AM
Hi,
Please ensure that your access-lists allow outbound traffic from the remote network, and also that this network is bein g NATed on your R1 router.
HTH
Steve
05-13-2009 02:57 AM
Acl allow outbound traffic from remote network, and NAT enable. Ping and tracer for internet site working.
if i change:
R1
ip route 10.10.128.0 255.255.252.0 10.10.254.2
on
ip route 10.10.128.0 255.255.252.0 10.10.255.2
---------------------------------------------------------------------
R2
ip route 0.0.0.0 0.0.0.0 10.10.254.1
on
ip route 0.0.0.0 0.0.0.0 10.10.255.1
All work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: