VPN between a 3030 concentrator and a SOHO97 ADSL router

rj · ‎08-07-2003

I am setting up an IPSec tunnel between both of these components. I want to be able to send corporate traffic over the tunnel and use Internet access directly from the SOHO. I noticed there is not a route-map statement available for this config. Is this not a supported config on the SOHO97?

Thanks,

RJ

gfullage · ‎08-07-2003

Not sure why you need a route-map statement for this, for NAT or for IPSec?

You should be able to configure this using either EzVPN with split tunnelling (http://www.cisco.com/warp/public/471/vpn_ios_ezvpn.html) or by configuring a standard crypto map on the router (http://www.cisco.com/warp/public/471/vpn3k_iosdhcp.html), for this one you'll also need a NAT config allowing you to browse the Internet.

Can you provide a bit more detail about what route-map command you're missing and what exactly you're trying to do.

rj · ‎08-07-2003

The route-map statement is not available in the IOS image, 12.3(2)T, for the SOHO97. I want to have a LAN to LAN IPSec tunnel between the SOHO97 and the 3030 concentrator. If the traffic does not match the access-list, then I want Internet traffic to flow directly from the SOHO97 without going out the router. I have used the route-map statement before in the following manner like the example in this link: http ://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

I want to do this except use the SOH97 instead of the 827. Is there another way?

Thanks,

RJ

gfullage · ‎08-07-2003

Hmm, not sure why the route-map isn't there. Do you have a list option on the nat command? The route-map merely references an access-list, and you can usually do this directly from the nat command using this format:

> ip nat inside source list 105 int dialer0 overload

This works just the same way as referencing a route-map that then references an ACL.

rj · ‎08-08-2003

I agree. The problem is making the decision whether to go out the tunnel for LAN traffic or receive a NAT for Internet access. Take the following config excerpt:

crypto map test 10 ipsec-isakmp

set peer 30.30.30.30

set transform-set dsltest

match address 101

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip Nat inside source route-map nonat interface Dialer1 overload

!

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 105 permit ip 192.168.100.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 105

I did an "debug ip nat" and for this example "ping 192.168.200.1" from a command prompt on a PC with IP address 192.168.100.10 behind the router. NAT is processed before the crypto map statement. So, the icmp echo never starts the isakmp process because the 192.168.100.10 is translated to the Pubic IP of dialer1 and it is directed straight out the Internet. The crypto map bound to dialer1 is ignored. I need the route-map bound to ACL 105:

access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 105 permit ip 192.168.100.0 0.0.0.255 any

This way if the traffic is sent towards the private LAN on the other side it will be denied by the first statement of ACL 105 and processed by the crypto map bound to dialer1. If the traffic is sent to any other address, it will be natted and sent out to the Internet.

I am not sure why route-map is not included in the IOS image.

A possible reason:

1. This router was only made for Internet access for a SOHO or if there is going to be an IPsec tunnel to a corporate network then Internet access would have to be deteremined by the head end router?

Is there another workaround?

Thanks for the responses,

RJ