Actually it's not in the same range. The config I sent was from a 2600 on
10.43.2.0/24 and the destination on the other end of the tunnel is
10.43.1.0/24. It is set up to only allow IP's originating from 10.43.2.0/24
to go through the tunnel (vice-versa on other end). Everything else gets
routed out to the internet & nat'd. NAT does not work with IPSec tunnels
according to all the documents I found on cisco.com. The whole problem is
that it won't use the 10.43.2.1 interface as the source IP when I try to get
across the tunnel from the router.
Thanks alot for the help...I do appreciate it. Any other ideas? I'm about
to give up & use the work-around of sending TACACS+ authentication requests
over the internet via a real IP address. That will just mean I have to add
another access-list for source IP's allowed into the TACACS+ box. More work
but it would be do-able.
Allen
----- Original Message -----
From: "Yonkerbonk"
To: "Allen May" ;
Sent: Tuesday, July 03, 2001 1:40 PM
Subject: Re: VPN troubles [7:10714]
> I reread the problem you were having. I missed it
> before. You are trying to ping an address on the other
> side of the VPN that is in the same range as on your
> local LAN? That's where you're running into a problem.
> You're trying to bridge across the tunnel. If you want
> that, you need to specify that. Otherwise, you will
> need to do NAT to translate the addresses -
> destination or source. The PIX has an alias command
> that double NATs for this very problem. Never tried it
> with VPN tunnel tho, but I guess it should be the
> same.
>
> Michael Le, CCIE #6811
>
> --- Allen May wrote:
> > Doesn't seem to work with 12.0(5).
> >
> > Here's the config. FastEthernet0/0 secondary IP is
> > in the range capable of
> > going over the VPN. When the router tries to ping
> > over the VPN it just uses
> > the default gateway out to the internet.
> >
> > I have a workaround to just give the TACACS+ box an
> > internet address but
> > it's bugging me that this won't work the way it was
> > originally planned.
> >
> >
> >
> > Using 2646 out of 29688 bytes
> > !
> > version 12.0
> > service timestamps debug datetime localtime
> > service timestamps log datetime localtime
> > service password-encryption
> > !
> > hostname MSI-2621
> > !
> > logging buffered 4096 debugging
> > no logging console
> > enable password 7 *************
> > !
> > !
> > !
> > !
> > !
> > clock timezone CST -6
> > clock summer-time CST recurring
> > ip subnet-zero
> > ip name-server 209.113.31.100
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > crypto isakmp policy 11
> > hash md5
> > authentication pre-share
> > crypto isakmp key ********* address 207.x.y.70
> > !
> > !
> > crypto ipsec transform-set msiset esp-des
> > esp-md5-hmac
> > !
> > !
> > crypto map nolan 11 ipsec-isakmp
> > set peer 207.x.y.70
> > set transform-set msiset
> > match address 120
> > !
> > !
> > !
> > process-max-time 200
> > !
> > interface FastEthernet0/0
> > description MSI-LAN Austin
> > ip address 10.43.2.1 255.255.255.0 secondary
> > ip address 192.168.103.1 255.255.255.0
> > no ip directed-broadcast
> > ip nat inside
> > !
> > interface Serial0/0
> > description MSI-Austin to Insync-Houston T1
> > (Internet)
> > ip address 207.x.y.22 255.255.255.252
> > no ip directed-broadcast
> > ip nat outside
> > no ip route-cache
> > no ip mroute-cache
> > crypto map nolan
> > !
> > interface FastEthernet0/1
> > description MSI DMZ LAN
> > ip address 207.x.y.129 255.255.255.224
> > no ip directed-broadcast
> > !
> > interface Serial0/1
> > description MSI-Austin to Microspace-Raleigh T1
> > ip address 192.168.254.10 255.255.255.252
> > no ip directed-broadcast
> > service-module t1 clock source internal
> > !
> > router ospf 100
> > redistribute connected subnets
> > redistribute static subnets
> > network 192.168.103.0 0.0.0.255 area 0
> > network 192.168.254.8 0.0.0.3 area 0
> > network 207.x.y.160 0.0.0.31 area 0
> > !
> > ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask
> > 255.255.255.224
> > ip nat inside source route-map nonat pool MSI-LAN
> > overload
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 207.170.95.21
> > ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
> > ip route 207.x.y.120 255.255.255.248 207.x.y.14
> > ip route 207.x.y.128 255.255.255.224 207.x.y.14
> > no ip http server
> > !
> > access-list 1 permit 192.168.103.0 0.0.0.255
> > access-list 120 permit ip 10.43.2.0 0.0.0.255
> > 10.43.1.0 0.0.0.255
> > access-list 130 deny ip 10.43.2.0 0.0.0.255
> > 10.43.1.0 0.0.0.255
> > access-list 130 permit ip 10.43.2.0 0.0.0.255 any
> > access-list 130 permit ip 192.168.103.0 0.0.0.255
> > any
> > access-list 198 permit icmp any any
> > route-map nonat permit 10
> > match ip address 130
> > !
> > snmp-server engineID local 00000009020000309468D480
> > snmp-server community **** RO
> > snmp-server community **** RW
> > !
> > line con 0
> > exec-timeout 30 0
> > transport input none
> > line aux 0
> > line vty 0 4
> > password 7 ****
> > login
> > !
> > ntp clock-period 17180260
> > ntp server 192.168.103.242 prefer
> > !
> > end
> > ----- Original Message -----
> > From: "Yonkerbonk"
> > To: "Allen May" ;
> >
> > Sent: Tuesday, July 03, 2001 10:14 AM
> > Subject: Re: VPN troubles [7:10714]
> >
> >
> > > What you need to test with is do an extended ping.
> > > Type in ping ip and then enter. And then follow
> > the
> > > prompts after that. It gives you the choice of
> > picking
> > > which ip address the router will use as the
> > source. By
> > > default is uses the interface the packet leaves
> > from.
> > >
> > > Michael Le, CCIE #681
> > >
> > > --- Allen May wrote:
> > > > OK I'll get the configs & forward in a bit. But
> > for
> > > > now...the inside
> > > > interface has an IP on that subnet. What would
> > it
> > > > take to get it to work
> > > > from the router itself? It's got an outside IP
> > > > going to the ISP and an
> > > > inside IP for a 10.43.2.0/24 network with a
> > > > secondary IP on the inside
> > > > interface of 10.43.2.1.
> > > >
> > > > I guess what I'm trying to say is...how DO you
> > make
> > > > it work then? ;)
> > > >
> > > > Allen
> > > >
> > > > ----- Original Message -----
> > > > From: "G30RG3"
> > > > To:
> > > > Sent: Monday, July 02, 2001 7:53 PM
> > > > Subject: Re: VPN troubles [7:10714]
> > > >
> > > >
> > > > > The reason you cant ping from the router
> > itself is
> > > > that when you specified
> > > > > what traffic to encrypt and send to the tunnel
> > > > you only specified the
> > > > > subnets behind the firewall and router. If
> > you
> > > > try and ping the other
> > > > side
> > > > > it will not go through the tunnel because it
> > is
> > > > not a match on the
> > > > > access-list. That is one of the reasons. I
> > cant
> > > > say that is the only
> > > > > reason cuz I don't know what your configs look
> > > > like.
> > > > >
> > > > > Hope that helps
> > > > >
> > > > > George, Head Janitor, CCNA CCDA
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10874&t=10714
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
