Solved: Access Remote IP from a Cisco behind an Site to Site VPN tunnel

tnt · ‎07-18-2011

Hello,

I have two 881 Routers with IOS 15.1 on it.

I build a VPN Tunnel between them to connect two private Networks

NET "A" 192.168.114.0/24 <> Cisco 881 IPSEC "A" <> Public Network <> Cisco 881 IPSEC "B" <> 192.168.115.0/24 NET "B"

Everything works fine, the tunnel is build and communication from Net A to Net B is fine.

But when I am on the 881 on "B", with local IP 192.168.115.1, I can´t reach any IP in Net "A".

It seems that the tunnel is never used when I initiate Traffic direct on the Cisco Device.

The ACCESS Statement is "permit IP 192.168.115.0 0.0.0.255 192.168.114.0 0.0.0.255" So I feel that the Cisco Device with 192.168.115.1 should use the tunnel. Any Idea whats wrong?

Best Regards

Dan Frey · ‎07-18-2011

Devices will source the IP from the egress interface, in your case the router is sourcing the packet from the WAN interface which is not in the crypto ACL.. If your on the Cisco device and want to use IPSEC to reach the remote LAN, try sourcing the traffic from the LAN interface (ping 192.168.115.y source ).

Dan

View solution in original post

Dan Frey · ‎07-18-2011

Hi Phillip,

Add these to the IOS config:

ntp source vlan 1

ip domain-lookup source-interface vlan 1

I believe this should fix your issue.

Dan

View solution in original post

Dan Frey · ‎07-18-2011

Devices will source the IP from the egress interface, in your case the router is sourcing the packet from the WAN interface which is not in the crypto ACL.. If your on the Cisco device and want to use IPSEC to reach the remote LAN, try sourcing the traffic from the LAN interface (ping 192.168.115.y source ).

Dan

tnt · ‎07-18-2011

Hi Dan!

Your solution hit my question! Thanks a lot. I now understand whats going on.

Let me be Barefaced:

the source of the problem was that I have some standard statements, i.E.

ip name server 192.168.114.212

ntp server 192.168.114.211

and this servers are on LAN "A".

So the router on LAN "B" never reachs this servers.

Sad enough that I can´t add the "source vlan 1" to that statements.

Is there any solution for that Problem you or someone knows?

CiscoIsInYou · ‎07-18-2011

Hello Phillip,

A tunnel is up if Interesting Traffic passes through it & since you see the Tunnel to be up there should be something else that needs to be checked.

Since the scenario you mentioned seems not capturing whole picture to me I would suggest to check the ACLs to see if you observe hits.

Dan Frey · ‎07-18-2011

Hi Phillip,

Add these to the IOS config:

ntp source vlan 1

ip domain-lookup source-interface vlan 1

I believe this should fix your issue.

Dan

Richard Burts · ‎07-18-2011

Phillip

Dan is pointing you in the right direction so + 5 for him from me.

It does not work for everything, but for many of the packets that originate from a router you are able to specify a source interface address. This works for syslog, for TACACS, for TFTP or FTP, and many of the functions that the router needs to perform.

HTH

Rick

HTH

Rick

tnt · ‎07-18-2011

Thanks a lot to everyone for your quick and qualified answers!

At the End Dan put me in the direction and at end knew the correct solution.

You helped a beginner a lot.