• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

5300->3600 VPN

I have an urgent situation in which I had a block of IP's in a remote location, but now I only have one on the serial interface on the edge.  My problem is I still need my PC's and 5300's to be able to access all of the equipment behind the 3600 on the remote end.

Do I have to set up a VPN for this, or is there a way I can set up a private IP block behind the remote 3600 and have the local 5300's route to there via routing commands some how knowing to hop off the one private IP I have
0
jason987
Asked:
jason987
  • 4
  • 2
1 Solution
 
lrmooreCommented:
VPN is certainly one way to go. You could use GRE tunnels to do the same thing without the encryption overhead if security if not your main concern.
Either way, you create a virtual "tunnel" between the Remote router's Ethernet interface and your router's Ethernet interface, so the routing of public/private IP addresses go through the tunnel and not across the internet to get lost.
Without knowing more details, I don't know what else to tell you.
The routing is easliy handled with route-maps. I'm assuming that the 3600 is doing some NAT, so you have to build rules to exclude source/destination pairs from being nat'd before they go through the tunnel...
Using GRE tunnels, all you need is basic IP feature set. IPSEC (encrypting the data inside the tunnel) will require IPSEC feature set everywhere, plus possible memory upgrades, etc.
If it is only two sites, it would be a piece of cake.
0
 
lrmooreCommented:
Have any of these comments been of any help to you? Do you need more information?
0
 
jason987Author Commented:
Yes, it helps in theory, but I looked at the docs and couldn't find an easily workable model.


What I would like  to do is this:

network a:  192.168.1.1, external public IP say 1.2.3.4
netowrk B:  external public  1.2.2.1  internals are /24

Object VPN (minimal security) at network A in which I can take part of the 1.2.2.x block and assign them, to network B.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
lrmooreCommented:
Assuming you have internal network 192.168.3.0 / 24 at B..
Internal network A = 192.168.1.x
Tunnel 0 network = 192.168.2.x
Internal network B = 192.168.3.x

http://www.cisco.com/warp/customer/707/quicktip.html

Site A router:

Create a virtual GRE Tunnel between the external interfaces:
!-- This is one end of the GRE tunnel.

interface Tunnel0
ip address 192.168.2.1 255.255.255.0

!-- The far end will be 192.168.2.2/24
!
!-- Associate the tunnel with the physical interface.
tunnel source Ethernet0/1
tunnel destination 1.2.2.1 <outside of SiteB>

!-- This is the inside interface.
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial 0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
!
!-- Define the NAT pool.
ip nat pool ourpool 1.2.3.10 1.23.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool ourpool overload

ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.5
!
!-- Force the private network traffic into the tunnel.
ip route 192.168.3.0 255.255.255.0 192.168.2.2
no ip http server
!
!
!-- Use access list and route-map to address what to NAT.
access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
!
!-- The route-map addresses what to NAT.
route-map nonat permit 10
match ip address 175
0
 
jason987Author Commented:
Thanks that give me a good direction to go.
0
 
lrmooreCommented:
Glad to help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now