The only thing I can think of is packets originating
from the router normally don't get passed through
access-lists. But I remember being able to pass
router-originated packets through my tunnel just fine,
so I'm not sure what the rules for VPNs are.
Sorry.
Michael
--- Allen May wrote:
> Actually it's not in the same range. The config I
> sent was from a 2600 on
> 10.43.2.0/24 and the destination on the other end of
> the tunnel is
> 10.43.1.0/24. It is set up to only allow IP's
> originating from 10.43.2.0/24
> to go through the tunnel (vice-versa on other end).
> Everything else gets
> routed out to the internet & nat'd. NAT does not
> work with IPSec tunnels
> according to all the documents I found on cisco.com.
> The whole problem is
> that it won't use the 10.43.2.1 interface as the
> source IP when I try to get
> across the tunnel from the router.
>
> Thanks alot for the help...I do appreciate it. Any
> other ideas? I'm about
> to give up & use the work-around of sending TACACS+
> authentication requests
> over the internet via a real IP address. That will
> just mean I have to add
> another access-list for source IP's allowed into the
> TACACS+ box. More work
> but it would be do-able.
>
> Allen
> ----- Original Message -----
> From: "Yonkerbonk"
> To: "Allen May" ;
>
> Sent: Tuesday, July 03, 2001 1:40 PM
> Subject: Re: VPN troubles [7:10714]
>
>
> > I reread the problem you were having. I missed it
> > before. You are trying to ping an address on the
> other
> > side of the VPN that is in the same range as on
> your
> > local LAN? That's where you're running into a
> problem.
> > You're trying to bridge across the tunnel. If you
> want
> > that, you need to specify that. Otherwise, you
> will
> > need to do NAT to translate the addresses -
> > destination or source. The PIX has an alias
> command
> > that double NATs for this very problem. Never
> tried it
> > with VPN tunnel tho, but I guess it should be the
> > same.
> >
> > Michael Le, CCIE #6811
> >
> > --- Allen May wrote:
> > > Doesn't seem to work with 12.0(5).
> > >
> > > Here's the config. FastEthernet0/0 secondary IP
> is
> > > in the range capable of
> > > going over the VPN. When the router tries to
> ping
> > > over the VPN it just uses
> > > the default gateway out to the internet.
> > >
> > > I have a workaround to just give the TACACS+ box
> an
> > > internet address but
> > > it's bugging me that this won't work the way it
> was
> > > originally planned.
> > >
> > >
> > >
> > > Using 2646 out of 29688 bytes
> > > !
> > > version 12.0
> > > service timestamps debug datetime localtime
> > > service timestamps log datetime localtime
> > > service password-encryption
> > > !
> > > hostname MSI-2621
> > > !
> > > logging buffered 4096 debugging
> > > no logging console
> > > enable password 7 *************
> > > !
> > > !
> > > !
> > > !
> > > !
> > > clock timezone CST -6
> > > clock summer-time CST recurring
> > > ip subnet-zero
> > > ip name-server 209.113.31.100
> > > !
> > > ip audit notify log
> > > ip audit po max-events 100
> > > !
> > > !
> > > crypto isakmp policy 11
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key ********* address 207.x.y.70
> > > !
> > > !
> > > crypto ipsec transform-set msiset esp-des
> > > esp-md5-hmac
> > > !
> > > !
> > > crypto map nolan 11 ipsec-isakmp
> > > set peer 207.x.y.70
> > > set transform-set msiset
> > > match address 120
> > > !
> > > !
> > > !
> > > process-max-time 200
> > > !
> > > interface FastEthernet0/0
> > > description MSI-LAN Austin
> > > ip address 10.43.2.1 255.255.255.0 secondary
> > > ip address 192.168.103.1 255.255.255.0
> > > no ip directed-broadcast
> > > ip nat inside
> > > !
> > > interface Serial0/0
> > > description MSI-Austin to Insync-Houston T1
> > > (Internet)
> > > ip address 207.x.y.22 255.255.255.252
> > > no ip directed-broadcast
> > > ip nat outside
> > > no ip route-cache
> > > no ip mroute-cache
> > > crypto map nolan
> > > !
> > > interface FastEthernet0/1
> > > description MSI DMZ LAN
> > > ip address 207.x.y.129 255.255.255.224
> > > no ip directed-broadcast
> > > !
> > > interface Serial0/1
> > > description MSI-Austin to Microspace-Raleigh T1
> > > ip address 192.168.254.10 255.255.255.252
> > > no ip directed-broadcast
> > > service-module t1 clock source internal
> > > !
> > > router ospf 100
> > > redistribute connected subnets
> > > redistribute static subnets
> > > network 192.168.103.0 0.0.0.255 area 0
> > > network 192.168.254.8 0.0.0.3 area 0
> > > network 207.x.y.160 0.0.0.31 area 0
> > > !
> > > ip nat pool MSI-LAN 207.x.y.129 207.x.y.148
> netmask
> > > 255.255.255.224
> > > ip nat inside source route-map nonat pool
> MSI-LAN
> > > overload
> > > ip classless
> > > ip route 0.0.0.0 0.0.0.0 207.170.95.21
> > > ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
> > > ip route 207.x.y.120 255.255.255.248 207.x.y.14
> > > ip route 207.x.y.128 255.255.255.224 207.x.y.14
> > > no ip http server
> > > !
> > > access-list 1 permit 192.168.103.0 0.0.0.255
> > > access-list 120 permit ip 10.43.2.0 0.0.0.255
> > > 10.43.1.0 0.0.0.255
> > > access-list 130 deny ip 10.43.2.0 0.0.0.255
> > > 10.43.1.0 0.0.0.255
> > > access-list 130 permit ip 10.43.2.0 0.0.0.255
> any
> > > access-list 130 permit ip 192.168.103.0
> 0.0.0.255
> > > any
> > > access-list 198 permit icmp any any
> > > route-map nonat permit 10
> > > match ip address 130
> > > !
> > > snmp-server engineID local
> 00000009020000309468D480
> > > snmp-server community **** RO
> > > snmp-server community **** RW
> > > !
> > > line con 0
> > > exec-timeout 30 0
> > > transport input none
> > > line aux 0
> > > line vty 0 4
> > > password 7 ****
> > > login
> > > !
> > > ntp clock-period 17180260
> > > ntp server 192.168.103.242 prefer
> > > !
> > > end
> > > ----- Original Message -----
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10904&t=10714
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
