Problem with routing private IP on public interface

Discussion in 'Cisco' started by Damir Dezeljin, Dec 14, 2003.

  1. Hi.

    I set-up a 831 to 1721 EzVPN tunnel (network extension mode).

    Let say that LAN behind 1721 is siteA, and lan behind 831 is siteB.

    SiteA can access siteB and the internet. The problem is that siteB can only
    access siteA (IPs from siteB can't access the internet) when the VPN tunnel
    is running (if I terminate the tunnel manualy, the internet can be accessed
    until the tunnel is reconstructed).

    After lot of hours spent searching the problem I realized from debugs on
    1721 that private IPs come in Ethernet0 on 1721 (public interface -
    connected to the internet) and without NAT-ing they go out of Ethernet0 to
    the internet ... because the trafic has an private IP in the SRC_addr the
    response to the packages never reach back the 1721.

    How can I NAT also the trafic from siteB which target is the internet (I
    don't explicitly need that the internet trafic pass the VPN tunnel - if it
    is posible it would be great that only VPN trafic transit trough the
    tunnel).

    Regards,
    Dezo
     
    Damir Dezeljin, Dec 14, 2003
    #1
    1. Advertising

  2. In article <brio87$bdf$>,
    Damir Dezeljin <> wrote:
    :I set-up a 831 to 1721 EzVPN tunnel (network extension mode).

    :Let say that LAN behind 1721 is siteA, and lan behind 831 is siteB.

    :SiteA can access siteB and the internet. The problem is that siteB can only
    :access siteA (IPs from siteB can't access the internet) when the VPN tunnel
    :is running (if I terminate the tunnel manualy, the internet can be accessed
    :until the tunnel is reconstructed).

    Sounds like you need to enable "split-horizon" on the 1721.
    I don't know the details of configuring it under IOS; on the PIX,
    it would be a matter of creating an ACL description the traffic
    that *should* go over the tunnel, and associating that acl with
    the vpdngroup split-horizon configuration.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Dec 14, 2003
    #2
    1. Advertising

  3. Walter Roberson wrote:

    > Sounds like you need to enable "split-horizon" on the 1721.
    > I don't know the details of configuring it under IOS; on the PIX,
    > it would be a matter of creating an ACL description the traffic
    > that *should* go over the tunnel, and associating that acl with
    > the vpdngroup split-horizon configuration.


    Split-tunnel, no? Split-horizon is something else :).

    Regards,

    Marco.
     
    M.C. van den Bovenkamp, Dec 14, 2003
    #3
  4. > on the PIX,
    > it would be a matter of creating an ACL description the traffic
    > that *should* go over the tunnel, and associating that acl with
    > the vpdngroup split-horizon configuration.

    I'm preaty new to Cisco IOS so I have some aditional questions.

    I first tried to use vpdn commands to connect my 831 (with no IpPlus
    software) to 1721 (with crypto module). After spending lot hours on that I
    restart from scratch and sucessfuly set up an EzVPN server on 1721. So I set
    831 as EzVPN client (without using vpdn).

    So my question is ... can I mix vpdn commands and ezvpn commands? If no ...
    is there any other similar command to use with ezvpn?

    10x a lot and regards,
    Dezo
     
    Damir Dezeljin, Dec 14, 2003
    #4
  5. In article <3fdcf876$0$38941$4all.nl>,
    M.C. van den Bovenkamp <> wrote:
    :Walter Roberson wrote:

    :> Sounds like you need to enable "split-horizon" on the 1721.

    :Split-tunnel, no? Split-horizon is something else :).

    Sorry, I'll go look for some caffine now.
    --
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
     
    Walter Roberson, Dec 15, 2003
    #5
  6. Damir Dezeljin

    ganlet Guest

    ok you first off im going to correct a few phrases that have been
    misused first off split horizon has nothign to do with vpns he was
    talkin about split tunnels where you define the interesting traffic.
    now this is configured on the pix and ios the same way with an acl. i
    dont know the issue that well becuase i haven't been given much to
    work with if you really would like to help me solve it which im
    positive i could do it, you need to submit the config file change the
    public ips and yank the passwords so they aren' any use to anyone.
    anyways some side notes vpdn is virtual private dialup network like
    pppoe l2tp stuff like that crypto maps are for ipsec. i dont fully
    understand right now why you built a gateway to client vpn because a
    simple preshared gateway to gateay tunnel would have been unbelievably
    easier. anyways if you would be kind enough to submit the configs
    with no ips it would be helpful or atleast all the ipsec related
    sections by the way dont feel bad or silly having a problem with
    this becuase its hard its amazing how complex it can be exspecially on
    the ccsp test (still passed though happily)
     
    ganlet, Dec 15, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page