Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

access to internal network through ipsec from router

i have a 2651xm with a csu/dsu card terminating our internet t1. i have the ipsec tunnel running over this interface. i am using ipsec with pre-share keys. the tunnel works great no problems whatsoever. my problem is when i try to ping an internal client on the other side of the tunnel from the router itself, i can't! i can ping from a client to any other client. i have setup a static route to point the network i want. e.g. ip route 172.16.1.0 255.255.255.0 serial0/0. the traceroute shows that the ping is going out to the internet not through the vpn tunnel. i have a 0.0.0.0 route for the serial interface for internet connectivity.

any ideas?

Geoff

4 REPLIES

Re: access to internal network through ipsec from router

Use an extended ping , using the IP address of another interface on the router that is getting encrypted and passed over the tunnel. Your crypto-map will reference an access-list with networks that are getting encrypted.

A norrmal ping is sourced from the closest interface to the destination.

HTH, Erick

Bronze

Re: access to internal network through ipsec from router

Erick,

Thanks for your reply, but i have used an extended ping. I guess I did not make myself clear on my question. I need the router to be able to connect to a client on the internal network, but when it tries to connect it goes out to the internet, not through the ipsec tunnel. i have static routes defined (e.g. ip route 172.16.x.x 255.255.0.0 s0/0) this should point any thing in that subnet over the ipsec tunnel, but it does not. I tried to use an ip route statement to point a specific address to the tunnel, but that did not work either. Any ideas on how to do this?

Geoff

Re: access to internal network through ipsec from router

Geoff,

can you post a sanitized config here?

Bronze

Re: access to internal network through ipsec from router

Eric,

Here you go:

Current configuration : 4548 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

!

voice-card 1

!

ip subnet-zero

!

!

!

!

class-map match-any voice

match ip rtp 16383 16383

match ip precedence 5

!

!

policy-map voipqos1

class voice

priority percent 75

class class-default

fair-queue

!

!

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 28800

crypto isakmp key **** address 1.2.3.4

!

crypto ipsec transform-set ***** esp-des esp-sha-hmac

!

crypto map ****** 10 ipsec-isakmp

description *******Tunnel

set peer 1.2.3.4

set transform-set *****

match address 121

!

isdn switch-type primary-ni

!

!

!

!

!

!

!

fax receive called-subscriber $d$

fax interface-type fax-mail

mta send server

mta send subject Fax Message

mta send with-subject both

mta send postmaster it@reico.com

mta send mail-from hostname

mta send mail-from username $s$

mta send return-receipt-to hostname it@reico.com

mta send return-receipt-to username $s$

mta receive maximum-recipients 0

!

controller T1 1/0

framing esf

linecode b8zs

pri-group timeslots 1-24

!

!

!

!

interface FastEthernet0/0

ip address 7.8.9.10 255.255.255.0

no ip mroute-cache

speed 100

full-duplex

h323-gateway voip bind srcaddr 7.8.9.10

!

interface Serial0/0

ip address 5.6.7.8

encapsulation ppp

service-policy output voipqos1

crypto map *****

!

interface FastEthernet0/1

no ip address

no ip mroute-cache

shutdown

duplex auto

speed auto

!

interface Serial1/0:23

no ip address

no logging event link-status

isdn switch-type primary-ni

isdn incoming-voice voice

no cdp enable

!

router eigrp 1

network 172.16.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 2.5.8.9

ip route 172.16.11.0 255.255.255.0 f0/0

no ip http server

ip pim bidir-enable

!

!

access-list 121 permit ip 1.2.3.0 0.0.0.255 4.5.0.0 0.0.255.255

!

call rsvp-sync

!

call application voice on-ramp tftp://0.0.0.0/ipfax/onramp/app_faxmail_onram

p.2.0.1.2.tcl

!

call application voice off-ramp tftp://0.0.0.0/ipfax/offramp/app_faxmail_off

ramp.2.0.1.1.tcl

!

voice-port 1/0:23

echo-cancel coverage 24

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

dial-peer voice 90 pots

destination-pattern 9T

progress_ind setup enable 3

direct-inward-dial

port 1/0:23

!

dial-peer voice 1000 voip

destination-pattern 3...

progress_ind setup enable 3

session target ipv4:0.0.0.0

dtmf-relay h245-alphanumeric

codec g711ulaw

no vad

!

dial-peer voice 1001 voip

destination-pattern 4...

progress_ind setup enable 3

session target ipv4:0.0.0.0

dtmf-relay h245-alphanumeric

codec g711ulaw

no vad

!

dial-peer voice 1002 voip

destination-pattern 2...

progress_ind setup enable 3

session target ipv4:0.0.0.0

dtmf-relay h245-alphanumeric

codec g711ulaw

no vad

!

dial-peer voice 100 pots

application on-ramp

incoming called-number 258[1,3,5,7,9]

direct-inward-dial

!

dial-peer voice 101 pots

application on-ramp

incoming called-number 259[1,3,5,7]

direct-inward-dial

!

dial-peer voice 2000 mmoip

application fax_on_vfc_onramp_app out-bound

destination-pattern 25..

information-type fax

session target mailto:gbeaty@reico.com

!

num-exp 2580 4052

num-exp 2582 4054

num-exp 2584 4053

num-exp 2586 4055

num-exp 2588 4056

num-exp 2590 4057

num-exp 2592 4063

num-exp 2594 4059

num-exp 2596 4062

num-exp 2599 4076

!

!

line con 0

line aux 0

login

flowcontrol hardware

line vty 0 4

login

!

!

end

Thanks,

Geoff

117
Views
0
Helpful
4
Replies
CreatePlease to create content