Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
6
Replies

Traffic to specific host through tunnel

Go to solution
MercatorIneo
Level 1
Level 1

‎05-30-2015 03:29 AM - edited ‎03-05-2019 01:34 AM

Hello,

 

I've 2 800-serie routers connected to provide VPN tunnel between 2 lans. It works very fine.

For security reason, I have to reach an external host (public ip = a.b.c.d) from the remote branch through the tunnel, so using the public ip address of the central office.

In the router of the remote branch, I've configured this :

 

crypto map staticmap 10 ipsec-isakmp
 set peer x.y.z.t
 set transform-set myset
 match address 101

ip nat inside source list 102 interface Dialer0 overload

access-list 101 remark TRAFFIC FOR TUNNEL
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 host a.b.c.d
access-list 102 remark NO NAT IF TUNNEL
access-list 102 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.4.0 0.0.0.255 host a.b.c.d
access-list 102 permit ip 192.168.4.0 0.0.0.255 any

 

The lan at the remote branch is 192.168.4.0

The lan at the central office is 192.168.2.0

 

My problem is that at the remote branch, the traffic to a.b.c.d seems to go through the WAN interface, not via the tunnel.

traceroute a.b.c.d shows as first step a router at my isp.

 

Thanks in advance for any help.

 

Best regards,

 

Guy

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Norberto Salgado
Level 1
Level 1
In response to MercatorIneo

‎05-31-2015 01:31 AM

   local  ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197

 

Per the output the traffic from 192.168.4.x to a.b.c.d is getting through the tunnel to your Central Site. You need to check what is going on after that. For example, you're allowing from central site IPs with source 192.168.4.x to go to the internet? 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Norberto Salgado
Level 1
Level 1

‎05-30-2015 11:52 AM

In your remote branch router you've a route for a.b.c.d. pointing to your central office?

0 Helpful

Go to solution
MercatorIneo
Level 1
Level 1
In response to Norberto Salgado

‎05-30-2015 11:19 PM

Thanks for your answer.

 

I've already tried with this line or not, in the branch router :

ip route a.b.c.d 255.255.255.255 192.168.2.1

but this does not solve the problem.

 

Regards,

 

Guy

 

0 Helpful

Go to solution
Norberto Salgado
Level 1
Level 1
In response to MercatorIneo

‎05-30-2015 11:58 PM

You've changed the ACL for the crypto map in the Central site router as well?

 

show crypto ipsec sa will help you to troubleshoot it.

0 Helpful

Go to solution
MercatorIneo
Level 1
Level 1
In response to Norberto Salgado

‎05-31-2015 12:49 AM

There is no ACL for the crypto map in the Central site router.

crypto dynamic-map dynmap 20
 set transform-set myset 
 set isakmp-profile L2L_poup
 reverse-route

The "show crypto ipsec sa" commands produces e.g. this :

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer IP_OF_BRANCH port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: IP_OF_CENTRAL, remote crypto endpt.: IP_OF_BRANCH
     plaintext mtu 1422, path mtu 1490, ip mtu 1490, ip mtu idb Dialer0
     current outbound spi: 0x6E0FE597(1846535575)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x189F11BF(413077951)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 477, flow_id: Onboard VPN:477, sibling_flags 80004040, crypto m
ap: clientmap
        sa timing: remaining key lifetime (k/sec): (4171274/1997)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Regards,

Guy

0 Helpful

Go to solution
Norberto Salgado
Level 1
Level 1
In response to MercatorIneo

‎05-31-2015 01:31 AM

   local  ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197

 

Per the output the traffic from 192.168.4.x to a.b.c.d is getting through the tunnel to your Central Site. You need to check what is going on after that. For example, you're allowing from central site IPs with source 192.168.4.x to go to the internet? 

0 Helpful

Go to solution
MercatorIneo
Level 1
Level 1
In response to Norberto Salgado

‎05-31-2015 04:08 AM

Your are right.

This line was missing in the ACL of the "ip nat inside source list 102 interface FastEthernet4 overload" in the central :

access-list 102 permit ip 192.168.4.0 0.0.0.255 any

Many many thanks for your help.

Best regards,

Guy

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card