Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3436
Views
0
Helpful
3
Replies

2911 router VPN Tunnel and default routing

fdouble08
Level 1
Level 1

‎02-17-2012 07:06 AM - edited ‎03-04-2019 03:18 PM

I have a Cisco 2911 that I am configuring for a remote site.  I have configured a IPSec Tunnel from our main site ( ASA 5510 ).  The Tunnel is up and I can connect from the main site LAN to the address of the 2911 through the IPSec Tunnel.  The 2911 is equipped with a 16port switch service module.  The switch is configured with an address and I can open a telnet session to the switch.  From that session, I am able to reach hosts on the LAN across the IPSec tunnel.  However, when I open a telnet session to the 2911 router, I cannot reach hosts on the main site LAN from that address.  When I do, the traffic is sent outside of the tunnel instead of inside it.  It works from the service module as traffic between the interfaces have the ACL for insteresting traffic applied, but traffic generated from the address of the 2911 router does not seem to get picked up by the ACL on the IPSec tunnel and it is getting the default route applied and going directly to the outside interface instead of to the tunnel.  Any ideas on how to make this work?

Labels:
0 Helpful
3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

‎02-17-2012 10:10 AM

Seems like you have a configuration problem.

Not seeing your configuration, one cannot say which one.

0 Helpful

fdouble08
Level 1
Level 1
In response to paolo bevilacqua

‎02-17-2012 12:49 PM

Config provided.

Here's a twist:

From the CLI on the 2911, if I ping an address that is on the far side fo the tunnel, I get no response.  If I traceroute to the same address, it reveals that the traffic is not entering the tunnel and is being sent directly to the outside interface (internet).  If I issue the ping command, and specify the source address as the inside address of the 2911, it gets a response.  If I issue the traceroute and specify the source address as the inside address of the 2911, it also completes and reveals that it goes through the tunnel.  My problem is that the 2911 router needs to be able to communicate with a radius server that is on the far side of the tunnel, but by default the traffic from the 2911 to the radius server is going to the outside internet interface instead of through the IPSec tunnel.

0 Helpful

fdouble08
Level 1
Level 1

‎02-17-2012 11:26 AM

Config follows:

hw-module sm 1

!

redundancy

!

ip ssh version 2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ***** address 46.21.190.93

!

crypto isakmp client configuration group IPSecTunnel1

key *****

dns 46.21.190.93

domain vlrna.vlrad.loc

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set T-Set ah-sha-hmac esp-aes 256

!

crypto ipsec profile Tunnel1

set security-association lifetime seconds 3600

!

crypto dynamic-map Tunnel1 1

set transform-set T-Set

reverse-route

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to46.21.190.93

set peer 46.21.190.93

set transform-set ESP-3DES-SHA

match address 100

!

crypto map Tunnel1 client configuration address respond

crypto map Tunnel1 1 ipsec-isakmp

set peer 46.21.190.93

set transform-set T-Set

match address Tunnel1

crypto map Tunnel1 2 ipsec-isakmp

set peer 46.21.190.93

set transform-set T-Set

match address Tunnel1

!

crypto map crypto-map-1 isakmp authorization list IPSecTunnel1

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 99.50.50.222 255.255.255.240

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet1/0

description $ETH-LAN$$SWDMADDR:10.10.144.2:80$

ip address 10.10.144.1 255.255.255.0

ip helper-address 10.6.24.93

!

interface GigabitEthernet1/1

description Internal switch interface connected to EtherSwitch Service Module

no ip address

!

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 99.50.50.209

ip route 10.10.144.0 255.255.255.0 GigabitEthernet1/0

!

ip access-list extended Tunnel1

permit ip 10.10.144.0 0.0.0.255 any

permit ip 10.10.144.0 0.0.0.255 172.30.52.0 0.0.0.255

ip access-list extended Tunnel1end

!

access-list 23 permit 10.6.0.0 0.0.255.255

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.144.0 0.0.0.255 10.0.0.0 0.255.255.255

!

control-plane

!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card