06-22-2005 07:04 AM - edited 02-21-2020 01:50 PM
At the moment I have a test setup:
- Main office Cisco 1841 (LAN 206.182.115.0/24)
- Remote office Cisco 831 (LAN 192.168.10.0/24)
There is a VPN tunnel between both but only traffic (206.182.115.x)for the main office is going over the VPN tunnel. How do I configure this so that all traffic from the remote office is going over the VPN tunnel. I've tried to change the ACL but without success.
Config 831:
!This is the running config of the router: 192.168.10.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SP_BARCA
!
no logging buffered
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
no aaa new-model
ip subnet-zero
ip domain name ke.local
ip name-server 193.121.171.135
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool CLIENT
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
domain-name ke.local
dns-server 206.182.115.4 206.182.115.12
netbios-name-server 206.182.115.4
lease 8
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 xxxxxxxx address 81.188.68.164
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to81.188.68.164
set peer 81.188.68.164
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
description $ETH-WAN$
ip address 195.207.53.12 255.255.255.248
ip nat outside
duplex auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1 permanent
ip http server
no ip http secure-server
!
access-list 23 remark SDM_ACL Category=16
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 206.182.115.0 0.0.0.255
access-list 102 remark SDM_ACL Category=16
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.10.0 0.0.0.255 206.182.115.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end
06-22-2005 07:29 AM
It's your ACL's which need some modification:
on the 1841 your ACL must be the reverse of the 831 like this:
access-list 100 permit ip any 192.168.10.0 0.0.0.255
on the 831 your ACL must be a "LAN to any" like this:
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
Is this what you have already tried?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide