Hello Guys i hope someone can help me with this.. I have a PIX and a 1841 doing a VPN tunnel.. when I do a traceroute to a device on the PIX network from the 1841 i see that the traffic is being sent to the internet instead of the tunnel.. here's a copy of the 1841 config...
thanks
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HighPointWarehouse
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.123-8.T6.bin
boot-end-marker
!
no logging buffered
!
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name test tcp
ip inspect name test udp
ip inspect name test ftp
ip inspect name test icmp
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.3.51 192.168.3.254
!
ip dhcp pool warehouse
network 192.168.3.0 255.255.255.0
dns-server 216.237.192.2
default-router 192.168.3.1
lease infinite
!
!
ip ips po max-events 100
ip domain name yourdomain.com
ip name-server 216.237.192.2
ip name-server 137.118.1.33
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key LTr3ndR0b1ns0N address x.x.x.x
!
!
crypto ipsec transform-set CONDES esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Otay
set peer x.x.x.x
set transform-set CONDES
match address 102
reverse-route
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$
no ip address
ip verify unicast reverse-path
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip access-group 199 in
ip nat outside
ip virtual-reassembly
encapsulation frame-relay
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
ip address x.x.x.x 255.255.255.252
ip inspect test out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 481 IETF
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.3.0 255.255.255.0 FastEthernet0/0
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_2 interface Serial0/0/0.1 overload
!
ip access-list extended outnat
permit ip any any
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 64.50.62.96 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 65.106.1.196 eq domain host 64.50.62.111
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 199 permit ip host 171.69.89.199 any
access-list 199 deny ip any any log
access-list 199 permit ip host 64.50.62.110 any
route-map SDM_RMAP_1 permit 1
match ip address outnat
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
thanks
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HighPointWarehouse
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.123-8.T6.bin
boot-end-marker
!
no logging buffered
!
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name test tcp
ip inspect name test udp
ip inspect name test ftp
ip inspect name test icmp
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.3.51 192.168.3.254
!
ip dhcp pool warehouse
network 192.168.3.0 255.255.255.0
dns-server 216.237.192.2
default-router 192.168.3.1
lease infinite
!
!
ip ips po max-events 100
ip domain name yourdomain.com
ip name-server 216.237.192.2
ip name-server 137.118.1.33
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key LTr3ndR0b1ns0N address x.x.x.x
!
!
crypto ipsec transform-set CONDES esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Otay
set peer x.x.x.x
set transform-set CONDES
match address 102
reverse-route
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$
no ip address
ip verify unicast reverse-path
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip access-group 199 in
ip nat outside
ip virtual-reassembly
encapsulation frame-relay
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
ip address x.x.x.x 255.255.255.252
ip inspect test out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 481 IETF
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.3.0 255.255.255.0 FastEthernet0/0
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_2 interface Serial0/0/0.1 overload
!
ip access-list extended outnat
permit ip any any
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 64.50.62.96 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 65.106.1.196 eq domain host 64.50.62.111
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 199 permit ip host 171.69.89.199 any
access-list 199 deny ip any any log
access-list 199 permit ip host 64.50.62.110 any
route-map SDM_RMAP_1 permit 1
match ip address outnat
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
