Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site-to-site IPsec VPN and router-generated traffic

Hi,

I've just setup a (static) site-to-site IPsec vpn between to ios routers. It works fine for traffic sent to those routers.

Traffic generated by the routers (ie ping or dns requests) goes into the tunnel with the IP address of the outside interface:

Extract of the config:

interface FastEthernet 0

ip address 172.16.1.0 255.255.255.0

ip nat inside

...

interface Dialer 0

ip nat outside

...

crypto map vpn

...

crypto map vpn

set peer 213.XX.XX.XX

set transform-set ESP-3DES-SHA1

match address 124

...

access-list 124 permit ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 102 permit ip 172.16.1.0 0.0.0.255 any

...

ip nat inside source route-map rmap interface Dialer0 overload

...

route-map rmap permit 1

match ip address 102

And now, to the evidence, pinging from routerB to a host "behind" routerA, gives the following debug message:

000720: *Mar 5 16:12:27.586 PST: IP: tableid=0, s=75.XX.XX.XX

(local), d=172.16.10.170 (Dialer0), routed via RIB

000721: *Mar 5 16:12:27.586 PST: IP: s=75.XX.XX.XX (local),

d=172.16.10.170 (Dialer0), len 100, sending.

75.XX.XX.XX is the ip address of the outside interface (Dialer0) as given by the ISP.

Any idea how to send router traffic with the 172.16.1.1 ip address ?

This is important as otherwise it isn't possible to use split dns (as in http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00806bd780.html)

Thanks,

Regards,

Brice

1 REPLY

Re: site-to-site IPsec VPN and router-generated traffic

Hi Brice,

not sure what router traffic are oyu talking about.

You can specify the source interfce for the router traffic (and automaticcally the traffic assumes interface IP as source).

For logging:

logging-interface

For tacacs:

tacacs-interface

For SNMP:

snmp-interface

Traceroute and ping commands have source interface parameters configurable.

Please rate if this helped.

Regards,

Daniel

151
Views
0
Helpful
1
Replies