06-09-2005 05:32 AM - edited 02-21-2020 01:49 PM
I configured a site to site VPN to connect a subsidiary office to the main office via a DSL link, subsidiary has a 837 DSL router, main office has a PIX506E.
VPN connection is OK and traffic is going through, my problem is that for each connection coming from the subsidiary to the main office, the source IP address is the public IP address of the DSL router.
example where subsidiary LAN would be 10.0.0.0/24 and subsidiary public DSL IP would be 200.1.1.1 :
traffic coming from 10.0.0.1 has 200.1.1.1 as source
traffic coming from 10.0.0.2 has 200.1.1.1 as source
traffic coming from 10.0.0.3 has 200.1.1.1 as source
I need to have :
traffic coming from 10.0.0.1 has 10.0.0.1 as source
traffic coming from 10.0.0.2 has 10.0.0.2 as source
.....
I guess I did something stupid and forget a nat detail somewhere, here is the DSL 837 conf :
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp key 0 ******** address ************
!
crypto ipsec transform-set ***** esp-des esp-md5-hmac
!
crypto map ******** 20 ipsec-isakmp
set peer ******************
set transform-set *********
match address 122
!
interface Ethernet0
ip address 10.21.32.253 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address ************* *****************
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ****************************
ppp chap password ******************************
ppp pap sent-username *****************************
crypto map ********************
hold-queue 224 in
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.20.1.0 255.255.255.0 10.21.32.254
ip route 172.21.32.0 255.255.255.0 10.21.32.1
ip http server
no ip http secure-server
!
access-list 23 permit 10.21.32.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 172.21.32.0 0.0.0.255
access-list 23 permit 172.20.1.0 0.0.0.255
access-list 102 permit ip 10.21.32.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 122 permit ip any any
access-list 122 permit icmp any any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 102 23
Any advices welcome, thank you in advance
06-09-2005 07:04 AM
You have posted this same question in the Service Provider / VPN Service Architecture forum where I have posted an answer. I suggest that we consolidate the discussion in that forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide