5300->3600 VPN

Posted on 2002-07-26
Last Modified: 2010-04-17
I have an urgent situation in which I had a block of IP's in a remote location, but now I only have one on the serial interface on the edge.  My problem is I still need my PC's and 5300's to be able to access all of the equipment behind the 3600 on the remote end.

Do I have to set up a VPN for this, or is there a way I can set up a private IP block behind the remote 3600 and have the local 5300's route to there via routing commands some how knowing to hop off the one private IP I have
Question by:jason987
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 79

Expert Comment

ID: 7181443
VPN is certainly one way to go. You could use GRE tunnels to do the same thing without the encryption overhead if security if not your main concern.
Either way, you create a virtual "tunnel" between the Remote router's Ethernet interface and your router's Ethernet interface, so the routing of public/private IP addresses go through the tunnel and not across the internet to get lost.
Without knowing more details, I don't know what else to tell you.
The routing is easliy handled with route-maps. I'm assuming that the 3600 is doing some NAT, so you have to build rules to exclude source/destination pairs from being nat'd before they go through the tunnel...
Using GRE tunnels, all you need is basic IP feature set. IPSEC (encrypting the data inside the tunnel) will require IPSEC feature set everywhere, plus possible memory upgrades, etc.
If it is only two sites, it would be a piece of cake.
LVL 79

Expert Comment

ID: 7201871
Have any of these comments been of any help to you? Do you need more information?

Author Comment

ID: 7201888
Yes, it helps in theory, but I looked at the docs and couldn't find an easily workable model.

What I would like  to do is this:

network a:, external public IP say
netowrk B:  external public  internals are /24

Object VPN (minimal security) at network A in which I can take part of the 1.2.2.x block and assign them, to network B.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 7201917
Assuming you have internal network / 24 at B..
Internal network A = 192.168.1.x
Tunnel 0 network = 192.168.2.x
Internal network B = 192.168.3.x

Site A router:

Create a virtual GRE Tunnel between the external interfaces:
!-- This is one end of the GRE tunnel.

interface Tunnel0
ip address

!-- The far end will be
!-- Associate the tunnel with the physical interface.
tunnel source Ethernet0/1
tunnel destination <outside of SiteB>

!-- This is the inside interface.
interface Ethernet0/0
ip address
ip nat inside
interface Serial 0/1
ip address
ip nat outside
!-- Define the NAT pool.
ip nat pool ourpool 1.23.20 netmask
ip nat inside source route-map nonat pool ourpool overload

ip classless
ip route
!-- Force the private network traffic into the tunnel.
ip route
no ip http server
!-- Use access list and route-map to address what to NAT.
access-list 175 deny ip
access-list 175 permit ip any
!-- The route-map addresses what to NAT.
route-map nonat permit 10
match ip address 175

Author Comment

ID: 7204104
Thanks that give me a good direction to go.
LVL 79

Expert Comment

ID: 7204258
Glad to help!

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 19 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question