I am trying to send all traffic through the IPSEC VPN tunnel. This router connects to a cisco 3000 back at our datacenter. I want internet traffic to go through the tunnel and out the datacenter side.
Right now all 10.x.x.x networks go through the tunnel, but when I try to go to a website, the traffic goes out FE4 and to the ISP. Can you look at this config and tell me what I am doing wrong? Thanks, Nunzeo
Current configuration : 7726 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address x.x.x.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.25
set peer x.x.x.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.x.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 permit ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
Right now all 10.x.x.x networks go through the tunnel, but when I try to go to a website, the traffic goes out FE4 and to the ISP. Can you look at this config and tell me what I am doing wrong? Thanks, Nunzeo
Current configuration : 7726 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address x.x.x.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.25
set peer x.x.x.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.x.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 permit ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end