Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

site-to-site VPN : source IP is the DSL IP instead of the host LAN IP

pwitecki
Level 1
Level 1

‎06-09-2005 05:32 AM - edited ‎02-21-2020 01:49 PM

I configured a site to site VPN to connect a subsidiary office to the main office via a DSL link, subsidiary has a 837 DSL router, main office has a PIX506E.

VPN connection is OK and traffic is going through, my problem is that for each connection coming from the subsidiary to the main office, the source IP address is the public IP address of the DSL router.

example where subsidiary LAN would be 10.0.0.0/24 and subsidiary public DSL IP would be 200.1.1.1 :

traffic coming from 10.0.0.1 has 200.1.1.1 as source

traffic coming from 10.0.0.2 has 200.1.1.1 as source

traffic coming from 10.0.0.3 has 200.1.1.1 as source

I need to have :

traffic coming from 10.0.0.1 has 10.0.0.1 as source

traffic coming from 10.0.0.2 has 10.0.0.2 as source

.....

I guess I did something stupid and forget a nat detail somewhere, here is the DSL 837 conf :

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

crypto isakmp key 0 ******** address ************

!

crypto ipsec transform-set ***** esp-des esp-md5-hmac

!

crypto map ******** 20 ipsec-isakmp

set peer ******************

set transform-set *********

match address 122

!

interface Ethernet0

ip address 10.21.32.253 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer1

ip address ************* *****************

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname ****************************

ppp chap password ******************************

ppp pap sent-username *****************************

crypto map ********************

hold-queue 224 in

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.20.1.0 255.255.255.0 10.21.32.254

ip route 172.21.32.0 255.255.255.0 10.21.32.1

ip http server

no ip http secure-server

!

access-list 23 permit 10.21.32.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 23 permit 172.21.32.0 0.0.0.255

access-list 23 permit 172.20.1.0 0.0.0.255

access-list 102 permit ip 10.21.32.0 0.0.0.255 any

access-list 102 permit icmp any any

access-list 122 permit ip any any

access-list 122 permit icmp any any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 102 23

Any advices welcome, thank you in advance

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎06-09-2005 07:04 AM

You have posted this same question in the Service Provider / VPN Service Architecture forum where I have posted an answer. I suggest that we consolidate the discussion in that forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents