06-11-2009 08:50 AM
Hi all,
I don't know if this is a wired case or not!
When our ISP provide us with an Internet connection our Real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.
The problem here comes when i'm trying to configure a VPN tunnel to another Router.
Every thing in the configuration is smooth except the part where i set that the Serial interface is my outside.
The tunnel is always down coz the IP address will be my Private (serial interface) while the configuration on the peer router is my public IP.
So i'm woundering is there a way that i can force the VPN tunnel to take the IP configured on the LAN side? Or any other work around?
Building configuration...
Current configuration : 2372 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-23.bin
boot-end-marker
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ************ address 144.254.x.y
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to144.254.x.y
set peer 144.254.x.y
set transform-set ESP-3DES-SHA
match address VPN_Traffic
!
!
!
interface FastEthernet0/0
ip address 10.55.218.1 255.255.255.0 secondary (My Internal Subnet)
ip address 196.219.a.b 255.255.255.224 (My Public IP)
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type q933a
!
interface Serial0/0/0.16 point-to-point
ip address 172.16.133.2 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 16
crypto map SDM_CMAP_1
!
interface Serial0/0/1
no ip address
encapsulation frame-relay IETF
ignore dcd
frame-relay lmi-type q933a
!
interface Serial0/0/1.16 point-to-point
ip address 172.16.134.2 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 16
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/1.16
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
!
ip access-list extended VPN_Traffic
remark Protect traffic from Local subnet to any Destination
remark SDM_ACL Category=4
permit ip 10.55.218.0 0.0.0.255 any
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
06-13-2009 02:44 PM
This should do the trick.
crypto map SDM_CMAP_1 local-address FastEthernet0/0
Cheers
06-11-2009 12:21 PM
Why do you have your internal LAN and Public IP on the same interface? Move the 10.55.218.1 255.255.255.0 network to FA0/1 (not being used).
You might also want to tighten up the ACL for VPN traffic.
Good Luck
06-12-2009 06:56 PM
Assign the public IP to a loopback interface, as long as your ISP is pointing to your serial interface for the public IP, that should work.
Then add the following command:
crypto map SDM_CMAP_1 local-address loopback0
Change loopback0 to the interface that you created and assigned the public IP to. Let me know if that works.
06-13-2009 02:44 PM
This should do the trick.
crypto map SDM_CMAP_1 local-address FastEthernet0/0
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide