Solved

forcing LAN traffic through tunnel first

Posted on 2009-05-08
3
280 Views
Last Modified: 2012-05-06
i have 2 sites connected with IPsec tunnel, i can ping and exchange works between sites. but if i do a tracert from one side to the other, it sends it out  the LAN side of the gateway (192.168.x.1) and then dies..

i have an acl that looks like this

access-list 110 permit ip 192.168.9.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 111 deny   ip 192.168.9.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 111 permit ip 192.168.9.0 0.0.0.255 any

inside source list mapped to 111
ip nat inside source list 111 interface FastEthernet4 overload

and the crypto is mapped to 110.

if i tracert from a LAN workstation it dies after it hits 9.1, if i traceroute from router, i get the ISP gateway and then next hop but then dies

so basically what i need is for both sides to send all LAN traffic through tunnel

any help appreciated..thanks
0
Comment
Question by:jasonmichel
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
hau_it earned 500 total points
ID: 24338547
ok. If i understand what you are asking is that traffic goes to internet instead of goinf to the other site.
The answer here is that NAT happens first and then the packet is processed by the crypto map. So because the ip header has changed router does not condiser this to be the intersting traffic and to encrypt the information.

http://www.sysadminsjourney.com/2007/11/09/combining-ipsec-dynamic-nat-and-static-nat-behind-a-cisco-ios-router
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Those links have enough info for your problem

Dimitris
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 24338669
so basically i need a nonat type acl?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 24338718
heres what my current config looks like (scrubbed IP)


Current configuration : 5570 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname \
!
boot-start-marker
boot-end-marker
!
no logging exception
logging message-counter syslog
logging buffered 4096
logging console errors

!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-4276677771
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4276677771
 revocation-check none
 rsakeypair TP-self-signed-4276677771
!
!
crypto pki certificate chain TP-self-signed-4276677771
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323736 36373737 3731301E 170D3032 30333035 32313039
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373636
  37373737 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CB50 DA597508 DDD6A1FE FAC2CD5B 5C513B22 9882CB0A 39E0E42F 993A54B9
  5A00E69C 331CDDC9 4BEEE30E 0988655F AA65DCDD E60B2F7E 80CF2674 DDFFD045
  942C5D05 E54A2F70 7450F6E5 25CB9B1A 03F7C6CD 5898F0B0 52B77BB3 E826F77B
  B21BD77B 109A4B7E 217C8501 1DA90111 26B1129E 234256E6 AA506D23 2EDB22D8
  65A70203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D706374 65636872 6F757465 7230312E 796F7572 646F6D61
  696E2E63 6F6D301F 0603551D 23041830 16801451 72139C6D A5024D2E 8B9C03C2
  C8FC6853 2D37AD30 1D060355 1D0E0416 04145172 139C6DA5 024D2E8B 9C03C2C8
  FC68532D 37AD300D 06092A86 4886F70D 01010405 00038181 0008FECA E26087A8
  DE9867B1 A1186460 45F257D3 2705B029 3148AC26 3879783D 5522625B D626A243
  9B1E6E3E 100766AD 25A97448 28ED9369 1ECCCEA4 997967C1 58ABDF2C 5680305F
  298D7BD0 5A981AB4 D417B333 DCC79B93 68ECAD71 E14B07D9 F911CB40 BEF3C18B
  36B64679 419C350D 38F950FA D416F17C 95B2C299 D65CB9BD 44
        quit
dot11 syslog
ip source-route
!
!
ip cef
ip inspect name INS_LOW cuseeme
ip inspect name INS_LOW dns
ip inspect name INS_LOW ftp
ip inspect name INS_LOW h323
ip inspect name INS_LOW icmp router-traffic
ip inspect name INS_LOW imap
ip inspect name INS_LOW pop3
ip inspect name INS_LOW netshow
ip inspect name INS_LOW rcmd
ip inspect name INS_LOW realaudio
ip inspect name INS_LOW rtsp
ip inspect name INS_LOW esmtp
ip inspect name INS_LOW sqlnet
ip inspect name INS_LOW streamworks
ip inspect name INS_LOW tftp
ip inspect name INS_LOW tcp
ip inspect name INS_LOW udp
ip inspect name INS_LOW vdolive
ip inspect name INS_LOW cifs
no ip domain lookup
ip domain name yourdomain.com
ip name-server 4.2.2.2
!
!
!
!

!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address x.x.x.x no-xauth
!
!        
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 description +++++Link to other side ++++
 set peer x.x.x.x
 set security-association lifetime seconds 86400
 set transform-set 3DES
 set pfs group2
 match address 110
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 mac-address 00d0.cf03.3f37
 ip address x.x.x.x 255.255.255.192
 ip inspect INS_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
interface Vlan1
 description LAN
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (ISP Gateway)
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 111 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.9.10 21 x.x.x.x 21 extendable
ip nat inside source static tcp 192.168.9.10 25 x.x.x.x 25 extendable
ip nat inside source static tcp 192.168.9.10 143 x.x.x.x 143 extendable
ip nat inside source static tcp 192.168.9.10 443 x.x.x.x 443 extendable
ip nat inside source static tcp 192.168.9.10 587 x.x.x.x 587 extendable
ip nat inside source static tcp 192.168.9.9 1337 x.x.x.x 1337 extendable
ip nat inside source static tcp 192.168.9.9 1433 x.x.x.x 1433 extendable
ip nat inside source static tcp 192.168.9.10 3389 x.x.x.x 3389 extendable
!
access-list 110 permit ip 192.168.9.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 111 deny   ip 192.168.9.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 111 permit ip 192.168.9.0 0.0.0.255 any
snmp-server community public RO
no cdp run


 transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now