forcing LAN traffic through tunnel first

i have 2 sites connected with IPsec tunnel, i can ping and exchange works between sites. but if i do a tracert from one side to the other, it sends it out  the LAN side of the gateway (192.168.x.1) and then dies..

i have an acl that looks like this

access-list 110 permit ip
access-list 111 deny   ip
access-list 111 permit ip any

inside source list mapped to 111
ip nat inside source list 111 interface FastEthernet4 overload

and the crypto is mapped to 110.

if i tracert from a LAN workstation it dies after it hits 9.1, if i traceroute from router, i get the ISP gateway and then next hop but then dies

so basically what i need is for both sides to send all LAN traffic through tunnel

any help appreciated..thanks
Who is Participating?
ok. If i understand what you are asking is that traffic goes to internet instead of goinf to the other site.
The answer here is that NAT happens first and then the packet is processed by the crypto map. So because the ip header has changed router does not condiser this to be the intersting traffic and to encrypt the information. 

Those links have enough info for your problem

jasonmichelAuthor Commented:
so basically i need a nonat type acl?
jasonmichelAuthor Commented:
heres what my current config looks like (scrubbed IP)

Current configuration : 5570 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname \
no logging exception
logging message-counter syslog
logging buffered 4096
logging console errors

no aaa new-model
crypto pki trustpoint TP-self-signed-4276677771
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4276677771
 revocation-check none
 rsakeypair TP-self-signed-4276677771
crypto pki certificate chain TP-self-signed-4276677771
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323736 36373737 3731301E 170D3032 30333035 32313039
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373636
  37373737 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CB50 DA597508 DDD6A1FE FAC2CD5B 5C513B22 9882CB0A 39E0E42F 993A54B9
  5A00E69C 331CDDC9 4BEEE30E 0988655F AA65DCDD E60B2F7E 80CF2674 DDFFD045
  942C5D05 E54A2F70 7450F6E5 25CB9B1A 03F7C6CD 5898F0B0 52B77BB3 E826F77B
  B21BD77B 109A4B7E 217C8501 1DA90111 26B1129E 234256E6 AA506D23 2EDB22D8
  65A70203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D706374 65636872 6F757465 7230312E 796F7572 646F6D61
  696E2E63 6F6D301F 0603551D 23041830 16801451 72139C6D A5024D2E 8B9C03C2
  C8FC6853 2D37AD30 1D060355 1D0E0416 04145172 139C6DA5 024D2E8B 9C03C2C8
  FC68532D 37AD300D 06092A86 4886F70D 01010405 00038181 0008FECA E26087A8
  DE9867B1 A1186460 45F257D3 2705B029 3148AC26 3879783D 5522625B D626A243
  9B1E6E3E 100766AD 25A97448 28ED9369 1ECCCEA4 997967C1 58ABDF2C 5680305F
  298D7BD0 5A981AB4 D417B333 DCC79B93 68ECAD71 E14B07D9 F911CB40 BEF3C18B
  36B64679 419C350D 38F950FA D416F17C 95B2C299 D65CB9BD 44
dot11 syslog
ip source-route
ip cef
ip inspect name INS_LOW cuseeme
ip inspect name INS_LOW dns
ip inspect name INS_LOW ftp
ip inspect name INS_LOW h323
ip inspect name INS_LOW icmp router-traffic
ip inspect name INS_LOW imap
ip inspect name INS_LOW pop3
ip inspect name INS_LOW netshow
ip inspect name INS_LOW rcmd
ip inspect name INS_LOW realaudio
ip inspect name INS_LOW rtsp
ip inspect name INS_LOW esmtp
ip inspect name INS_LOW sqlnet
ip inspect name INS_LOW streamworks
ip inspect name INS_LOW tftp
ip inspect name INS_LOW tcp
ip inspect name INS_LOW udp
ip inspect name INS_LOW vdolive
ip inspect name INS_LOW cifs
no ip domain lookup
ip domain name
ip name-server

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address x.x.x.x no-xauth
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
 description +++++Link to other side ++++
 set peer x.x.x.x
 set security-association lifetime seconds 86400
 set transform-set 3DES
 set pfs group2
 match address 110
 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 mac-address 00d0.cf03.3f37
 ip address x.x.x.x
 ip inspect INS_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
interface Vlan1
 description LAN
 ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
ip forward-protocol nd
ip route (ISP Gateway)
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet4 overload
ip nat inside source static tcp 21 x.x.x.x 21 extendable
ip nat inside source static tcp 25 x.x.x.x 25 extendable
ip nat inside source static tcp 143 x.x.x.x 143 extendable
ip nat inside source static tcp 443 x.x.x.x 443 extendable
ip nat inside source static tcp 587 x.x.x.x 587 extendable
ip nat inside source static tcp 1337 x.x.x.x 1337 extendable
ip nat inside source static tcp 1433 x.x.x.x 1433 extendable
ip nat inside source static tcp 3389 x.x.x.x 3389 extendable
access-list 110 permit ip
access-list 111 deny   ip
access-list 111 permit ip any
snmp-server community public RO
no cdp run

 transport output telnet
scheduler max-task-time 5000
scheduler allocate 20000 1000
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.