Routing traffic out of the source interface which is also IPsec crypto-map interface

Tom Teunissen · ‎02-03-2010

Hi

(see below image) I'm trying to establish correct routing from my company towards some machines at a clients site. The LAN-2-LAN tunnel gets established from xxx.244.260.176 towards mycompany router at the clients' site on the other end nnn.211.0.54. My servers in segment interesting traffic A is reachable. However servers in segment B are not.

Routing should be as far as I know, as follows:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route nnn.211.0.0 255.255.0.0 nnn.211.0.53
ip route 192.168.56.0 255.255.255.0 FastEthernet0/0
ip route 192.168.57.0 255.255.255.0 FastEthernet0/0
ip route 192.168.58.0 255.255.255.0 FastEthernet0/0
ip route 192.168.60.0 255.255.255.0 nnn.211.0.53

Currently we connect to the servers via a fiber connection that is to be dismantled shortly, it is connected via interface FastEthernet0/0. In this setup segment B is reachable.

I hope you can help me, I think I've tried everything, am I overlooking something?

Thanks in advance!

With kind regards, Tom

Jon Marshall · ‎02-04-2010

tom.teunissen@capgemini.com

Hi

(see below image) I'm trying to establish correct routing from my company towards some machines at a clients site. The LAN-2-LAN tunnel gets established from xxx.244.260.176 towards mycompany router at the clients' site on the other end nnn.211.0.54. My servers in segment interesting traffic A is reachable. However servers in segment B are not.

Routing should be as far as I know, as follows:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route nnn.211.0.0 255.255.0.0 nnn.211.0.53
ip route 192.168.56.0 255.255.255.0 FastEthernet0/0
ip route 192.168.57.0 255.255.255.0 FastEthernet0/0
ip route 192.168.58.0 255.255.255.0 FastEthernet0/0
ip route 192.168.60.0 255.255.255.0 nnn.211.0.53

Currently we connect to the servers via a fiber connection that is to be dismantled shortly, it is connected via interface FastEthernet0/0. In this setup segment B is reachable.

I hope you can help me, I think I've tried everything, am I overlooking something?

Thanks in advance!

With kind regards, Tom

Tom

It's not entirely clear what your'e problem is.

Do you want to use the VPN tunnel to get to site B ie. 192.168.60.0 or do you just want to route traffic direct.

If you want to route traffic direct then does it need to be in an IPSEC tunnel or not ?

There is no reason why you cannot send 192.168.56/57/58 traffic down the IPSEC tunnel and then 192.168.60.0 traffic not down the tunnel. This is nothing to do with routing and is to do with the crypto map access-lists.

Perhaps you clarify exactly what the problem is ?

Jon

Tom Teunissen · ‎02-04-2010

Hi,

Of course I'll try to explain:

My company manages several servers in interesting traffic segment A and B at the client site. These should be reachable from my company. Our management servers like HPOV and CiscoWorks are in the range xxx.28.206.0 /24 and management users, for setting up rdp sessions or https ilo/drac sessions, receive a PAT address xxx.28.206.254. All traffic is being tunneled between our site and the customers' site.

!!! The cloud is not a WAN cloud but the internet, thus VPN/L2L tunnel is required !!!

The tunnel itself works; I can connect to segment A, but when routed back towards the source interface all fails.

I have an access-list on the interface loggingonly permits, so the packets are sent.

A trace shows only next hop nnn.211.0.53.

Ping from the nnn.211.0.54 router towards nnn.211.4.85 is successful.

However, this address doen't show in the ARP table.

... :'(

Regards, Tom