Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4121
Views
0
Helpful
6
Replies

All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

zimengcao
Level 1
Level 1

‎05-10-2013 04:31 PM - edited ‎02-21-2020 06:53 PM

Hi, all,

  I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !

Quote :

Question ? :

Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.

Dallas (Main) Lan Net is: 10.10.200.0/24

Austin (Remote) LAN Net is: 10.20.2.0/24

The Dallas (Main) site has a VPN config of:

Local Net: 0.0.0.0/0

Remote Net: 10.20.2.0/24

The Austin (Remote) site has a VPN config of:

10.20.2.0/24

Remote Net: 0.0.0.0/0

The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.

I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?

Answer:

Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.

Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.

My question ?

The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and

how to do it , could anybody give me the specific configuration ? thanks a lot.

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎05-10-2013 04:46 PM

To give a specific configuration we would have to see your current configurations.

Its impossible to give a specific configuration when we dont know your device, its software level and the existing NAT configurations etc.

- Jouni

0 Helpful

zimengcao
Level 1
Level 1
In response to Jouni Forss

‎05-10-2013 06:24 PM

Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 2

crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac

!

crypto dynamic-map IPsecdyn 100

set transform-set IPsectrans

match address 102

!

!

crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn

!

!

!

interface Loopback1

ip address 10.10.200.1 255.255.255.0

!

interface FastEthernet0/0

ip address 113.113.1.1 255.255.255.128

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map IPsecmap

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 113.113.1.2

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip any 10.20.2.0 0.0.0.255

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to zimengcao

‎05-10-2013 06:26 PM

Hi,

I think the text you refer to might be about Cisco ASA NAT configurations and not Cisco IOS Routers

You could take a look at this post on a different site which seems to lab the setup you are trying to implement

http://www.packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/

- Jouni

0 Helpful

zimengcao
Level 1
Level 1
In response to Jouni Forss

‎05-10-2013 06:51 PM

JouniForss ,thank you , you give me the best answer , I have searched on the website and tested on my router time and again but still failed , now I know the that only ASA can reach this goal . Thank you for giving me the post link for reference.

BR,

zi

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to zimengcao

‎05-10-2013 07:02 PM

Hi,

Seems to me that the link i gave could be applied to your situation since it uses IOS Routers

Personally i have tested this only with ASAs so that is why only provided a link to guide.

If you have indeed found the information helpfull you can always rate the answer.

For me to be able to give you an configuration i would have to lab this first at some point

- Jouni

0 Helpful

zimengcao
Level 1
Level 1
In response to Jouni Forss

‎05-10-2013 07:39 PM

Thank you very much , I think the first I need to do is just get the thread clear and then try and test on the router . Good idea for me by your mention.

BR,

zi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents