The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.
COURSE of the MONTH
7 days, 19 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
LAN to LAN VPN with internet access?
Posted on 2004-10-15
I have a LAN to LAN VPN set up between a cisco 837 router and 3005 concentrator. The connection is set up to enable a remote cisco 7960 hardphone to register with our CCM server. The problem I have is that the remote user can no longer acces the internet as everything is now sent down the tunnel. He was using a cicso softphone with a pc based vpn client and split tunnelling. This worked fine but I can't figure out how to do something similar on a LAN to LAN setup which I believe we need so he can use the hardphone. Is this even possible and if so can anyone tell what I need to configure to do it because it's got me stumped?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
-
2
7 Comments
Check the 837 config has an access list permitting the internal network access to the outside.
This link may help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml
If not, could you post up the 837 config ?
This link may help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml
If not, could you post up the 837 config ?
It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
You might have something like
access-list 101 permit ip any <remote lan> mask
Where you should have
access-list 101 permit ip <local lan> mask <remote lan> mask
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
You might have something like
access-list 101 permit ip any <remote lan> mask
Where you should have
access-list 101 permit ip <local lan> mask <remote lan> mask
Hi All
The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?
Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ***.***.19.20
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-
ip address 10.1.4.254 255.255.255.0
ip helper-address 10.1.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ***.***.237.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **********
ppp chap password 0 ********
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password *****
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?
Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ***.***.19.20
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-
ip address 10.1.4.254 255.255.255.0
ip helper-address 10.1.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ***.***.237.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **********
ppp chap password 0 ********
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password *****
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Here's a step by step guide:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
You're missing the NAT configuratins.
interface Eth0
ip nat inside
interface Dialer0
ip nat outside
ip nat inside source route-map nonat interface Dialer0 overload
access-list 105 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 105
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
You're missing the NAT configuratins.
interface Eth0
ip nat inside
interface Dialer0
ip nat outside
ip nat inside source route-map nonat interface Dialer0 overload
access-list 105 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 105
Featured Post
Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages. This might be undesirable since the workplace can log all the places you've been. It also might be very slow to load pag…
Secure VPN Connection terminated locally by the Client.
Reason 442: Failed to enable Virtual Adapter.
If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll
765 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.