Doesn't seem to work with 12.0(5).
Here's the config. FastEthernet0/0 secondary IP is in the range capable of
going over the VPN. When the router tries to ping over the VPN it just uses
the default gateway out to the internet.
I have a workaround to just give the TACACS+ box an internet address but
it's bugging me that this won't work the way it was originally planned.
Using 2646 out of 29688 bytes
!
version 12.0
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname MSI-2621
!
logging buffered 4096 debugging
no logging console
enable password 7 *************
!
!
!
!
!
clock timezone CST -6
clock summer-time CST recurring
ip subnet-zero
ip name-server 209.113.31.100
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key ********* address 207.x.y.70
!
!
crypto ipsec transform-set msiset esp-des esp-md5-hmac
!
!
crypto map nolan 11 ipsec-isakmp
set peer 207.x.y.70
set transform-set msiset
match address 120
!
!
!
process-max-time 200
!
interface FastEthernet0/0
description MSI-LAN Austin
ip address 10.43.2.1 255.255.255.0 secondary
ip address 192.168.103.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/0
description MSI-Austin to Insync-Houston T1 (Internet)
ip address 207.x.y.22 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map nolan
!
interface FastEthernet0/1
description MSI DMZ LAN
ip address 207.x.y.129 255.255.255.224
no ip directed-broadcast
!
interface Serial0/1
description MSI-Austin to Microspace-Raleigh T1
ip address 192.168.254.10 255.255.255.252
no ip directed-broadcast
service-module t1 clock source internal
!
router ospf 100
redistribute connected subnets
redistribute static subnets
network 192.168.103.0 0.0.0.255 area 0
network 192.168.254.8 0.0.0.3 area 0
network 207.x.y.160 0.0.0.31 area 0
!
ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask 255.255.255.224
ip nat inside source route-map nonat pool MSI-LAN overload
ip classless
ip route 0.0.0.0 0.0.0.0 207.170.95.21
ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
ip route 207.x.y.120 255.255.255.248 207.x.y.14
ip route 207.x.y.128 255.255.255.224 207.x.y.14
no ip http server
!
access-list 1 permit 192.168.103.0 0.0.0.255
access-list 120 permit ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255
access-list 130 deny ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255
access-list 130 permit ip 10.43.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.103.0 0.0.0.255 any
access-list 198 permit icmp any any
route-map nonat permit 10
match ip address 130
!
snmp-server engineID local 00000009020000309468D480
snmp-server community **** RO
snmp-server community **** RW
!
line con 0
exec-timeout 30 0
transport input none
line aux 0
line vty 0 4
password 7 ****
login
!
ntp clock-period 17180260
ntp server 192.168.103.242 prefer
!
end
----- Original Message -----
From: "Yonkerbonk"
To: "Allen May" ;
Sent: Tuesday, July 03, 2001 10:14 AM
Subject: Re: VPN troubles [7:10714]
> What you need to test with is do an extended ping.
> Type in ping ip and then enter. And then follow the
> prompts after that. It gives you the choice of picking
> which ip address the router will use as the source. By
> default is uses the interface the packet leaves from.
>
> Michael Le, CCIE #681
>
> --- Allen May wrote:
> > OK I'll get the configs & forward in a bit. But for
> > now...the inside
> > interface has an IP on that subnet. What would it
> > take to get it to work
> > from the router itself? It's got an outside IP
> > going to the ISP and an
> > inside IP for a 10.43.2.0/24 network with a
> > secondary IP on the inside
> > interface of 10.43.2.1.
> >
> > I guess what I'm trying to say is...how DO you make
> > it work then? ;)
> >
> > Allen
> >
> > ----- Original Message -----
> > From: "G30RG3"
> > To:
> > Sent: Monday, July 02, 2001 7:53 PM
> > Subject: Re: VPN troubles [7:10714]
> >
> >
> > > The reason you cant ping from the router itself is
> > that when you specified
> > > what traffic to encrypt and send to the tunnel
> > you only specified the
> > > subnets behind the firewall and router. If you
> > try and ping the other
> > side
> > > it will not go through the tunnel because it is
> > not a match on the
> > > access-list. That is one of the reasons. I cant
> > say that is the only
> > > reason cuz I don't know what your configs look
> > like.
> > >
> > > Hope that helps
> > >
> > > George, Head Janitor, CCNA CCDA
> > > Cisco Systems
> > >
> > > ""Allen May"" wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > I have an IPSec tunnel set up between PIX and a
> > 2600 and it works
> > > perfectly
> > > > for clients end-to-end. However, I can't ping
> > across the VPN from pix
> > or
> > > > router.
> > > >
> > > > I suspect a routing issue. When I try to add a
> > route to tell it
> > anything
> > > > going to the other end should use that IP on
> > that interface, it gives an
> > > > error saying invalid hop because it's on that
> > router.
> > > >
> > > > Any ideas?
> > > >
> > > > A little info:
> > > > Remote network has 10.43.2.0/24 but gateway is a
> > secondary IP on the
> > > > internal FastEthernet interface of a 2600.
> > > > Central network is 10.43.1.0/24 on a PIX 515.
> > > > Future networks will be on the 10.x.y.z network
> > & centralize to the PIX
> > > > rack.
> > > >
> > > > The problem I'm trying to solve is making the
> > remote routers
> > authenticate
> > > > over the VPN to TACACS+ for the enable password.
> > If I can't ping the
> > box
> > > > because it's trying to bo out the default route,
> > it won't work.
> > > >
> > > > Allen
> [EMAIL PROTECTED]
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10825&t=10714
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
