Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Weird behaviour of router 871 on VPN tunnel

Hi, I have stablished an VPN tunnel site to site with a cisco 871 to a cisco 2800. Everithing is right and working. So, what's the problem ? Let's see:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 6 ipsec-isakmp

description Numintel

set peer 213.192.208.242

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 196.12.229.218 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 192.169.15.100 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 196.12.229.217

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 remark local

access-list 1 permit 192.169.15.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

The thing is that when I apply the local access list, lo let the 192.169.15.0 hosts access the internet, I can't reach the other end of the tunnel. ( Say ping to 192.168.3.35 ). When I disable the local access list : access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel from any of the hosts at 192.169.15.0, but I don't have internet access. Can somebody explain what is happening and how to solve it ? Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Weird behaviour of router 871 on VPN tunnel

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

5 REPLIES
Silver

Re: Weird behaviour of router 871 on VPN tunnel

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

New Member

Re: Weird behaviour of router 871 on VPN tunnel

I'm not understanding you much. You meant I have to change the access-list 100 for this new one and apply it to the cryto map ? Or add it as new ?

Silver

Re: Weird behaviour of router 871 on VPN tunnel

No it is to replace access-list 1 .

you will have to do change in following statement also:

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpful posts

New Member

Re: Weird behaviour of router 871 on VPN tunnel

Thank you now I understand what happens when you do this kind of VPN.

New Member

Re: Weird behaviour of router 871 on VPN tunnel

Why do you PAT all outbound encrypted & unencrypted traffic?

Try using a route-map in your nat overload statement and exclude the 192.168.3.0 and 192.168.4.0 networks.

Create an access-list 110 which denies those two networks and permit everything else

route-map permit 10

match address 110

154
Views
0
Helpful
5
Replies