Hi,
I've just setup a (static) site-to-site IPsec vpn between to ios routers. It works fine for traffic sent to those routers.
Traffic generated by the routers (ie ping or dns requests) goes into the tunnel with the IP address of the outside interface:
Extract of the config:
interface FastEthernet 0
ip address 172.16.1.0 255.255.255.0
ip nat inside
...
interface Dialer 0
ip nat outside
...
crypto map vpn
...
crypto map vpn
set peer 213.XX.XX.XX
set transform-set ESP-3DES-SHA1
match address 124
...
access-list 124 permit ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
...
ip nat inside source route-map rmap interface Dialer0 overload
...
route-map rmap permit 1
match ip address 102
And now, to the evidence, pinging from routerB to a host "behind" routerA, gives the following debug message:
000720: *Mar 5 16:12:27.586 PST: IP: tableid=0, s=75.XX.XX.XX
(local), d=172.16.10.170 (Dialer0), routed via RIB
000721: *Mar 5 16:12:27.586 PST: IP: s=75.XX.XX.XX (local),
d=172.16.10.170 (Dialer0), len 100, sending.
75.XX.XX.XX is the ip address of the outside interface (Dialer0) as given by the ISP.
Any idea how to send router traffic with the 172.16.1.1 ip address ?
This is important as otherwise it isn't possible to use split dns (as in http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00806bd780.html)
Thanks,
Regards,
Brice