07-18-2011 01:59 AM - edited 03-04-2019 01:01 PM
Hello,
I have two 881 Routers with IOS 15.1 on it.
I build a VPN Tunnel between them to connect two private Networks
NET "A" 192.168.114.0/24 <> Cisco 881 IPSEC "A" <> Public Network <> Cisco 881 IPSEC "B" <> 192.168.115.0/24 NET "B"
Everything works fine, the tunnel is build and communication from Net A to Net B is fine.
But when I am on the 881 on "B", with local IP 192.168.115.1, I can´t reach any IP in Net "A".
It seems that the tunnel is never used when I initiate Traffic direct on the Cisco Device.
The ACCESS Statement is "permit IP 192.168.115.0 0.0.0.255 192.168.114.0 0.0.0.255" So I feel that the Cisco Device with 192.168.115.1 should use the tunnel. Any Idea whats wrong?
Best Regards
Solved! Go to Solution.
07-18-2011 07:51 AM
Devices will source the IP from the egress interface, in your case the router is sourcing the packet from the WAN interface which is not in the crypto ACL.. If your on the Cisco device and want to use IPSEC to reach the remote LAN, try sourcing the traffic from the LAN interface (ping 192.168.115.y source
Dan
07-18-2011 11:09 AM
Hi Phillip,
Add these to the IOS config:
ntp source vlan 1
ip domain-lookup source-interface vlan 1
I believe this should fix your issue.
Dan
07-18-2011 07:51 AM
Devices will source the IP from the egress interface, in your case the router is sourcing the packet from the WAN interface which is not in the crypto ACL.. If your on the Cisco device and want to use IPSEC to reach the remote LAN, try sourcing the traffic from the LAN interface (ping 192.168.115.y source
Dan
07-18-2011 10:42 AM
Hi Dan!
Your solution hit my question! Thanks a lot. I now understand whats going on.
Let me be Barefaced:
the source of the problem was that I have some standard statements, i.E.
ip name server 192.168.114.212
ntp server 192.168.114.211
and this servers are on LAN "A".
So the router on LAN "B" never reachs this servers.
Sad enough that I can´t add the "source vlan 1" to that statements.
Is there any solution for that Problem you or someone knows?
07-18-2011 07:56 AM
Hello Phillip,
A tunnel is up if Interesting Traffic passes through it & since you see the Tunnel to be up there should be something else that needs to be checked.
Since the scenario you mentioned seems not capturing whole picture to me I would suggest to check the ACLs to see if you observe hits.
07-18-2011 11:09 AM
Hi Phillip,
Add these to the IOS config:
ntp source vlan 1
ip domain-lookup source-interface vlan 1
I believe this should fix your issue.
Dan
07-18-2011 02:34 PM
Phillip
Dan is pointing you in the right direction so + 5 for him from me.
It does not work for everything, but for many of the packets that originate from a router you are able to specify a source interface address. This works for syslog, for TACACS, for TFTP or FTP, and many of the functions that the router needs to perform.
HTH
Rick
07-18-2011 10:08 PM
Thanks a lot to everyone for your quick and qualified answers!
At the End Dan put me in the direction and at end knew the correct solution.
You helped a beginner a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide