I reread the problem you were having. I missed it
before. You are trying to ping an address on the other
side of the VPN that is in the same range as on your
local LAN? That's where you're running into a problem.
You're trying to bridge across the tunnel. If you want
that, you need to specify that. Otherwise, you will
need to do NAT to translate the addresses -
destination or source. The PIX has an alias command
that double NATs for this very problem. Never tried it
with VPN tunnel tho, but I guess it should be the
same.
Michael Le, CCIE #6811
--- Allen May wrote:
> Doesn't seem to work with 12.0(5).
>
> Here's the config. FastEthernet0/0 secondary IP is
> in the range capable of
> going over the VPN. When the router tries to ping
> over the VPN it just uses
> the default gateway out to the internet.
>
> I have a workaround to just give the TACACS+ box an
> internet address but
> it's bugging me that this won't work the way it was
> originally planned.
>
>
>
> Using 2646 out of 29688 bytes
> !
> version 12.0
> service timestamps debug datetime localtime
> service timestamps log datetime localtime
> service password-encryption
> !
> hostname MSI-2621
> !
> logging buffered 4096 debugging
> no logging console
> enable password 7 *************
> !
> !
> !
> !
> !
> clock timezone CST -6
> clock summer-time CST recurring
> ip subnet-zero
> ip name-server 209.113.31.100
> !
> ip audit notify log
> ip audit po max-events 100
> !
> !
> crypto isakmp policy 11
> hash md5
> authentication pre-share
> crypto isakmp key ********* address 207.x.y.70
> !
> !
> crypto ipsec transform-set msiset esp-des
> esp-md5-hmac
> !
> !
> crypto map nolan 11 ipsec-isakmp
> set peer 207.x.y.70
> set transform-set msiset
> match address 120
> !
> !
> !
> process-max-time 200
> !
> interface FastEthernet0/0
> description MSI-LAN Austin
> ip address 10.43.2.1 255.255.255.0 secondary
> ip address 192.168.103.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> !
> interface Serial0/0
> description MSI-Austin to Insync-Houston T1
> (Internet)
> ip address 207.x.y.22 255.255.255.252
> no ip directed-broadcast
> ip nat outside
> no ip route-cache
> no ip mroute-cache
> crypto map nolan
> !
> interface FastEthernet0/1
> description MSI DMZ LAN
> ip address 207.x.y.129 255.255.255.224
> no ip directed-broadcast
> !
> interface Serial0/1
> description MSI-Austin to Microspace-Raleigh T1
> ip address 192.168.254.10 255.255.255.252
> no ip directed-broadcast
> service-module t1 clock source internal
> !
> router ospf 100
> redistribute connected subnets
> redistribute static subnets
> network 192.168.103.0 0.0.0.255 area 0
> network 192.168.254.8 0.0.0.3 area 0
> network 207.x.y.160 0.0.0.31 area 0
> !
> ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask
> 255.255.255.224
> ip nat inside source route-map nonat pool MSI-LAN
> overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 207.170.95.21
> ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
> ip route 207.x.y.120 255.255.255.248 207.x.y.14
> ip route 207.x.y.128 255.255.255.224 207.x.y.14
> no ip http server
> !
> access-list 1 permit 192.168.103.0 0.0.0.255
> access-list 120 permit ip 10.43.2.0 0.0.0.255
> 10.43.1.0 0.0.0.255
> access-list 130 deny ip 10.43.2.0 0.0.0.255
> 10.43.1.0 0.0.0.255
> access-list 130 permit ip 10.43.2.0 0.0.0.255 any
> access-list 130 permit ip 192.168.103.0 0.0.0.255
> any
> access-list 198 permit icmp any any
> route-map nonat permit 10
> match ip address 130
> !
> snmp-server engineID local 00000009020000309468D480
> snmp-server community **** RO
> snmp-server community **** RW
> !
> line con 0
> exec-timeout 30 0
> transport input none
> line aux 0
> line vty 0 4
> password 7 ****
> login
> !
> ntp clock-period 17180260
> ntp server 192.168.103.242 prefer
> !
> end
> ----- Original Message -----
> From: "Yonkerbonk"
> To: "Allen May" ;
>
> Sent: Tuesday, July 03, 2001 10:14 AM
> Subject: Re: VPN troubles [7:10714]
>
>
> > What you need to test with is do an extended ping.
> > Type in ping ip and then enter. And then follow
> the
> > prompts after that. It gives you the choice of
> picking
> > which ip address the router will use as the
> source. By
> > default is uses the interface the packet leaves
> from.
> >
> > Michael Le, CCIE #681
> >
> > --- Allen May wrote:
> > > OK I'll get the configs & forward in a bit. But
> for
> > > now...the inside
> > > interface has an IP on that subnet. What would
> it
> > > take to get it to work
> > > from the router itself? It's got an outside IP
> > > going to the ISP and an
> > > inside IP for a 10.43.2.0/24 network with a
> > > secondary IP on the inside
> > > interface of 10.43.2.1.
> > >
> > > I guess what I'm trying to say is...how DO you
> make
> > > it work then? ;)
> > >
> > > Allen
> > >
> > > ----- Original Message -----
> > > From: "G30RG3"
> > > To:
> > > Sent: Monday, July 02, 2001 7:53 PM
> > > Subject: Re: VPN troubles [7:10714]
> > >
> > >
> > > > The reason you cant ping from the router
> itself is
> > > that when you specified
> > > > what traffic to encrypt and send to the tunnel
> > > you only specified the
> > > > subnets behind the firewall and router. If
> you
> > > try and ping the other
> > > side
> > > > it will not go through the tunnel because it
> is
> > > not a match on the
> > > > access-list. That is one of the reasons. I
> cant
> > > say that is the only
> > > > reason cuz I don't know what your configs look
> > > like.
> > > >
> > > > Hope that helps
> > > >
> > > > George, Head Janitor, CCNA CCDA
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10868&t=10714
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
