Question:
I have the following WS-C3560V2-48PS-S problem.
Situation:
- one main location M, with ASA5510 (v8.3)
which has many (about 100) ipsec tunnels to remote locations. Local subnet is
172.16.254.0/24
- some of these remote locations have the
same subnet, let's say there are 2 locations which use 192.168.1.0/24
- for one of such location (let's call it
A), I create a 'virtual subnet' 192.169.1.0/24 which is a static nat in the
router on the location: ip nat inside source static network 192.168.1.0
192.169.1.0 /24 no-alias. This location has a Cisco 881 router.
The problem is that with this NAT
configuration, internet traffic on the location A is not possible.
Question: what is the best way to solve
this?
dot11 syslog
ip cef
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set
ipsec_tun_cybercenter esp-3des esp-md5-hmac
crypto map CMAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ipsec_tun_cybercenter
match address 105
ip ssh version 2
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description LAN Interface
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
interface Dialer0
ip address negotiated
ip access-group 106 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username kpn password 7
082A5C40
crypto map CMAP
!
no ip forward-protocol nd
ip route 0.0.0 .0
0.0.0.0 Dialer0
no
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400
requests 10000
ip nat inside source list 101 interface
Dialer0 overload
ip nat inside source static network
192.168.1.0 192.169.1.0 /24 no-alias
access-list 101 deny ip 192.169.1.0 0.0.0 .255
172.16.254.0 0.0.0.255
access-list 101 permit ip 192.169.1.0 0.0.0 .255
any
access-list 105 permit ip 192.169.1.0 0.0.0 .255
172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
Answer:
"ip nat inside source static network
192.168.1.0 192.169.1.0 /24 no-alias"
Perhaps you can try with a policy nat
(static nat + route-map) to let nat kich in only for IPsec.
Let's know if it can solve WS-C3560X-48PF-L Price the issue.
没有评论:
发表评论