05-30-2015 03:29 AM - edited 03-05-2019 01:34 AM
Hello,
I've 2 800-serie routers connected to provide VPN tunnel between 2 lans. It works very fine.
For security reason, I have to reach an external host (public ip = a.b.c.d) from the remote branch through the tunnel, so using the public ip address of the central office.
In the router of the remote branch, I've configured this :
crypto map staticmap 10 ipsec-isakmp
set peer x.y.z.t
set transform-set myset
match address 101
ip nat inside source list 102 interface Dialer0 overload
access-list 101 remark TRAFFIC FOR TUNNEL
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 host a.b.c.d
access-list 102 remark NO NAT IF TUNNEL
access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.4.0 0.0.0.255 host a.b.c.d
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
The lan at the remote branch is 192.168.4.0
The lan at the central office is 192.168.2.0
My problem is that at the remote branch, the traffic to a.b.c.d seems to go through the WAN interface, not via the tunnel.
traceroute a.b.c.d shows as first step a router at my isp.
Thanks in advance for any help.
Best regards,
Guy
Solved! Go to Solution.
05-31-2015 01:31 AM
local ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197
Per the output the traffic from 192.168.4.x to a.b.c.d is getting through the tunnel to your Central Site. You need to check what is going on after that. For example, you're allowing from central site IPs with source 192.168.4.x to go to the internet?
05-30-2015 11:52 AM
In your remote branch router you've a route for a.b.c.d. pointing to your central office?
05-30-2015 11:19 PM
Thanks for your answer.
I've already tried with this line or not, in the branch router :
ip route a.b.c.d 255.255.255.255 192.168.2.1
but this does not solve the problem.
Regards,
Guy
05-30-2015 11:58 PM
You've changed the ACL for the crypto map in the Central site router as well?
show crypto ipsec sa will help you to troubleshoot it.
05-31-2015 12:49 AM
There is no ACL for the crypto map in the Central site router.
crypto dynamic-map dynmap 20
set transform-set myset
set isakmp-profile L2L_poup
reverse-route
The "show crypto ipsec sa" commands produces e.g. this :
protected vrf: (none)
local ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer IP_OF_BRANCH port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: IP_OF_CENTRAL, remote crypto endpt.: IP_OF_BRANCH
plaintext mtu 1422, path mtu 1490, ip mtu 1490, ip mtu idb Dialer0
current outbound spi: 0x6E0FE597(1846535575)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x189F11BF(413077951)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 477, flow_id: Onboard VPN:477, sibling_flags 80004040, crypto m
ap: clientmap
sa timing: remaining key lifetime (k/sec): (4171274/1997)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
Regards,
Guy
05-31-2015 01:31 AM
local ident (addr/mask/prot/port): (a.b.c.d/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 197, #pkts decrypt: 197, #pkts verify: 197
Per the output the traffic from 192.168.4.x to a.b.c.d is getting through the tunnel to your Central Site. You need to check what is going on after that. For example, you're allowing from central site IPs with source 192.168.4.x to go to the internet?
05-31-2015 04:08 AM
Your are right.
This line was missing in the ACL of the "ip nat inside source list 102 interface FastEthernet4 overload" in the central :
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
Many many thanks for your help.
Best regards,
Guy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide