NAT sometimes is the bane of my existence.
I'm trying to setup a vti site-to-site vpn with cisco routers. The VPN connection comes up fine. My problem is that i'm using the same interface for internet access as well. my endpoints can reach the internet but they cant reach between branches.
routers are 4331 on denali.
all branches are on the 10.0.0.0/8 subnet
here is a sample of my config:
interface Tunnel2
ip address 192.168.250.1 255.255.255.252
no ip redirects
no ip proxy-arp
keepalive 90 3
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel path-mtu-discovery
tunnel protection ipsec profile vti_profile
!
interface GigabitEthernet0/1/0
ip address X.X.X.X 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5
!
ip nat inside source route-map g010nat interface GigabitEthernet0/1/0 overload
!
access-list 110 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
route-map g010nat permit 10
match ip address 110
match interface GigabitEthernet0/1/0
No comments:
Post a Comment