Microsoft
Software
Hardware
Network
Question : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel
This is a conceptual/architectural question at the moment. I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.
I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E
nameif ethernet0 outside security0
nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1
nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1
nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1
nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1
The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router
The 837 has NAT established
Uses Route Map SDM_RMAP_1 that in turn uses access-list 101
access-list 101
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255
permit ip 10.13.0.0 0.0.255.255 any
There is NO firewall configured on the 837
The VPN tunnel uses IPSec rule 100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24
I can ping 10.7.30.1 from the local client
From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)
So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.
I thought (& have tried) that
a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd
b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic
I think I've missed a step because
i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit
ii. ping still fails
Answer : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel
Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:
Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.
deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 any
Random Solutions
Problem: backing up my podcasts on itunes
Problem: Cannot Install Veritas 10 BackUp Exec Due To "Cannot Generate SSPI Context" Error Message
Problem: I can't connect to home wireless network
Problem: Dead Toshiba Qosmio F10
Problem: Need help adding drive space to SAN and logical drives
Problem: Can Filenet Doc Publisher create PDF?
Problem: HELP! No sound. There's ONE yellow exclamation point in my Device Manager...
Problem: How Can I Scan A Document, Then Type On It, Then Print It With My Typed Changes?
Problem: No sound - first partially w/embedded audio files, then totally, after downloading new soundmax driver
Problem: PC keeps re-booting, not a virus