04-02-2007 03:38 PM - edited 03-09-2019 05:43 PM
I can not get spilt tunnel to work on my production router
config:
int serial 0/0/0
desc external
ip add x.x.x.x x.x.x.x.x
ip nat outside
ip virtual-reassembly
crypto map ipsec-map
int fast 0/0
desc internal
ip add y.y.y.y y.y.y.y
ip nat inside
ip virtual-reassembly
ip nat source inside list 101 interface serial 0/0/0 overload
Nat acl
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.255.255 log
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
crypto map acl
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.255.255 log
I can only get one or the other to work but not together.
Your thoughts are much appreciated. I have read about the order of operations with NAT, but still not dice.
Steve
Solved! Go to Solution.
04-06-2007 06:23 PM
Hi Steve,
I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.
ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252
ip nat inside source route-map nonat pool 'name of pool' overload
route-map nonat permit 10
match ip address 101
!
hope it works for you
thanks
Andrew
04-06-2007 09:18 AM
This document gives details for your problem.
04-06-2007 09:44 AM
Hi Steve,
what do you mean by split-tunnel? It looks like a L2L tunnel.
Please confirm.
04-07-2007 10:18 AM
It looks like L2L , but my understanding is that if i want to go spefiy as certain interesting traffic to go through the tunnel and everything else be Nat'd and out the internet. This referred to as split tunnel?!
If I am mistaking please correct me.
Steve
04-06-2007 06:23 PM
Hi Steve,
I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.
ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252
ip nat inside source route-map nonat pool 'name of pool' overload
route-map nonat permit 10
match ip address 101
!
hope it works for you
thanks
Andrew
04-07-2007 10:13 AM
Hi Andrew,
My boss added the route-map statement after reading and troubleshototing.
Although I was able to get this working in the lab enviromnet with the "ip nat inside source list " but in producation it didn't. not sure if it had soemthing to do with fast ethernet interfaces or serial interfaces, I don't think so.
at any rate you would have hit the nail on the head had this not been resolved prior to thursday.
Thanks all for responding.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide