|
|
Question : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel
|
|
This is a conceptual/architectural question at the moment. I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.
I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E
nameif ethernet0 outside security0 nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1 nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1 nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1 nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1
The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router The 837 has NAT established Uses Route Map SDM_RMAP_1 that in turn uses access-list 101 access-list 101 deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255 permit ip 10.13.0.0 0.0.255.255 any
There is NO firewall configured on the 837
The VPN tunnel uses IPSec rule 100 access-list 100 permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24 I can ping 10.7.30.1 from the local client
From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)
So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.
I thought (& have tried) that a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic
I think I've missed a step because i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit ii. ping still fails
|
Answer : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel
|
|
Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:
Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.
deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255 deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255 permit ip 10.13.0.0 0.0.255.255 any
|
|
|