Router 1: new T1 and new router (from T1 on a 3630 to 3megT1 on a 1841).
router 1 has a VPN going to router 2 (different T1 different location).
the VPN is of the type that enables one local network ping the other local network and in reverse too (IPSEC w GRE?).
the VPN source IP was using the SERIAL IP address on the SERIAL interface on router 1.
-i wanted to change that and use one of the IP's from the large block we have (what do you call these IP's which arent the serial?)
so i am trying to add one of those non serial IP's to FastEthernet0/1 and map the VPN through that interface.
but it says" xxx.xxx.123.0 overlaps with FastEthernet0/0" where the first IP on that block is xxx.xxx.123.1
is there a way to exclude one ip from that block which is assigned to FastEthernet0/0 ?
is there a down side to using the serial IP? i assume the better way to assign the VPN IP is using one of the block IP's and not serial, am i wrong?
thank you.
crypto map vpn 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set s1s2
match address 108
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source xxx.xxx.123.78
tunnel destination xxx.xxx.456.122
crypto map vpn
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address yyy.yyy.123.202 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.248.0 secondary
ip address xxx.xxx.123.1 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.12.0 0.0.0.255
network 172.16.0.0 0.0.7.255
no auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 MFR1.500
ip route 192.168.25.0 255.255.255.0 10.10.12.2
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld xxx.xxx.123.1 xxx.xxx.123.1 netmask 255.255.255.0
ip nat pool swimpool xxx.xxx.123.2 xxx.xxx.123.254 prefix-length 24
ip nat inside source list 120 pool swimpool overload
ip nat inside source route-map nonat interface MFR1.500 overload
!
access-list 7 permit 172.16.0.0 0.0.255.255
access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.7.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 138
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-dgm
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 139
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-ss
access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 109 deny ip host 172.16.172.249 any
access-list 109 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 120 deny ip host 172.16.1.2 any
access-list 120 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.7.255 any
disable-eadi
!
route-map nonat permit 10
match ip address 7
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
router 1 has a VPN going to router 2 (different T1 different location).
the VPN is of the type that enables one local network ping the other local network and in reverse too (IPSEC w GRE?).
the VPN source IP was using the SERIAL IP address on the SERIAL interface on router 1.
-i wanted to change that and use one of the IP's from the large block we have (what do you call these IP's which arent the serial?)
so i am trying to add one of those non serial IP's to FastEthernet0/1 and map the VPN through that interface.
but it says" xxx.xxx.123.0 overlaps with FastEthernet0/0" where the first IP on that block is xxx.xxx.123.1
is there a way to exclude one ip from that block which is assigned to FastEthernet0/0 ?
is there a down side to using the serial IP? i assume the better way to assign the VPN IP is using one of the block IP's and not serial, am i wrong?
thank you.
crypto map vpn 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set s1s2
match address 108
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source xxx.xxx.123.78
tunnel destination xxx.xxx.456.122
crypto map vpn
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address yyy.yyy.123.202 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.248.0 secondary
ip address xxx.xxx.123.1 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.12.0 0.0.0.255
network 172.16.0.0 0.0.7.255
no auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 MFR1.500
ip route 192.168.25.0 255.255.255.0 10.10.12.2
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld xxx.xxx.123.1 xxx.xxx.123.1 netmask 255.255.255.0
ip nat pool swimpool xxx.xxx.123.2 xxx.xxx.123.254 prefix-length 24
ip nat inside source list 120 pool swimpool overload
ip nat inside source route-map nonat interface MFR1.500 overload
!
access-list 7 permit 172.16.0.0 0.0.255.255
access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.7.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 138
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-dgm
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 139
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-ss
access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 109 deny ip host 172.16.172.249 any
access-list 109 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 120 deny ip host 172.16.1.2 any
access-list 120 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.7.255 any
disable-eadi
!
route-map nonat permit 10
match ip address 7
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
