Solved

5300->3600 VPN

Posted on 2002-07-26
6
231 Views
Last Modified: 2010-04-17
I have an urgent situation in which I had a block of IP's in a remote location, but now I only have one on the serial interface on the edge.  My problem is I still need my PC's and 5300's to be able to access all of the equipment behind the 3600 on the remote end.

Do I have to set up a VPN for this, or is there a way I can set up a private IP block behind the remote 3600 and have the local 5300's route to there via routing commands some how knowing to hop off the one private IP I have
0
Comment
Question by:jason987
  • 4
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7181443
VPN is certainly one way to go. You could use GRE tunnels to do the same thing without the encryption overhead if security if not your main concern.
Either way, you create a virtual "tunnel" between the Remote router's Ethernet interface and your router's Ethernet interface, so the routing of public/private IP addresses go through the tunnel and not across the internet to get lost.
Without knowing more details, I don't know what else to tell you.
The routing is easliy handled with route-maps. I'm assuming that the 3600 is doing some NAT, so you have to build rules to exclude source/destination pairs from being nat'd before they go through the tunnel...
Using GRE tunnels, all you need is basic IP feature set. IPSEC (encrypting the data inside the tunnel) will require IPSEC feature set everywhere, plus possible memory upgrades, etc.
If it is only two sites, it would be a piece of cake.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7201871
Have any of these comments been of any help to you? Do you need more information?
0
 
LVL 5

Author Comment

by:jason987
ID: 7201888
Yes, it helps in theory, but I looked at the docs and couldn't find an easily workable model.


What I would like  to do is this:

network a:  192.168.1.1, external public IP say 1.2.3.4
netowrk B:  external public  1.2.2.1  internals are /24

Object VPN (minimal security) at network A in which I can take part of the 1.2.2.x block and assign them, to network B.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7201917
Assuming you have internal network 192.168.3.0 / 24 at B..
Internal network A = 192.168.1.x
Tunnel 0 network = 192.168.2.x
Internal network B = 192.168.3.x

http://www.cisco.com/warp/customer/707/quicktip.html

Site A router:

Create a virtual GRE Tunnel between the external interfaces:
!-- This is one end of the GRE tunnel.

interface Tunnel0
ip address 192.168.2.1 255.255.255.0

!-- The far end will be 192.168.2.2/24
!
!-- Associate the tunnel with the physical interface.
tunnel source Ethernet0/1
tunnel destination 1.2.2.1 <outside of SiteB>

!-- This is the inside interface.
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial 0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
!
!-- Define the NAT pool.
ip nat pool ourpool 1.2.3.10 1.23.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool ourpool overload

ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.5
!
!-- Force the private network traffic into the tunnel.
ip route 192.168.3.0 255.255.255.0 192.168.2.2
no ip http server
!
!
!-- Use access list and route-map to address what to NAT.
access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
!
!-- The route-map addresses what to NAT.
route-map nonat permit 10
match ip address 175
0
 
LVL 5

Author Comment

by:jason987
ID: 7204104
Thanks that give me a good direction to go.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7204258
Glad to help!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now