|
Posted by News Reader on May 1, 2008, 11:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Elia Spadoni wrote:
>>> e.g.: reach the far-side tunnel endpoint (often the external far side
>>> interface) by way of your router's default gateway (next hop,
>>> Internet side).
>>>
>>> ip route <far-side-tunnel-endpoint-ip> 255.255.255.255
<router's-Internet-next-hop-ip> 2
The above was true for an external interface as the tunnel endpoint.
For the side(s) that use(s) an internal interface (e.g.: loopback) as
the tunnel endpoint, the static route would be:
ip route <far-side-tunnel-endpoint-ip> 255.255.255.255
<far-side-external-interface-ip> 2
Sorry Elia.
>>>
>>> There are other methods of dealing with recursive routing, but the
>>> static route method is what I have used.
>>>
>>> Best Regards,
>>> News Reader
>>
>> Hello
>>
>>
>> I was not able to let it work.
>> the packet get unreachable not on my edge router, but on first ISP
>> side router.
>>
>> any suggestions?..
>>
>> I didnt have any problems when both of the endopoint were directly
>> connected public IP..
>>
>
> You haven't given us much info to work with. Clarification would be
> beneficial.
>
> Which interfaces are used as tunnel endpoints at each site?
>
> Which interfaces are "ip NAT inside" and "ip NAT outside" at each site?
>
> Don't think you want a tunnel endpoint being an "ip NAT inside"
> interface.
>
>
> On which interfaces are the crypto maps applied at each site?
>
> Have the crypto ACLs been changed to reflect the new tunnel endpoint(s)?
>
> Are you using ESP transport mode or tunnel mode?
>
> Think you probably want to be using ESP Tunnel mode.
>
>
> Is the tunnel endpoint networks included in your dynamic routing?
>
> May need to revisit the recursive static route based on your answers.
>
> It would be helpful if you shared some addressing info, even if you had
> to modify them somewhat for privacy.
>
>
> When we were using loopback interfaces as tunnel endpoints on our NAT
> edge routers:
>
> * We created loopback interfaces to specifically handle this traffic.
> They were NOT configured as "ip NAT inside" interfaces.
> * We advertised the loopback networks via our dynamic routing protocol.
> * We created static routes to the far side loopback networks via the
> edge routers next-hop-routers (ISP gateway).
> * We amended our crypto maps to reflect the new tunnel endpoint addresses.
> * We applied the crypto maps to the edge router's external interfaces.
> * We used an ESP Tunnel mode IPSec tranform.
>
> Best Regards,
> News Reader
Best Regards,
News Reader
| 
NewsGroups 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map