Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

LAN to LAN VPN with internet access?

Posted on 2004-10-15
7
1,691 Views
Last Modified: 2010-04-12
I have a LAN to LAN VPN set up between a cisco 837 router and 3005 concentrator. The connection is set up to enable a remote cisco 7960 hardphone to register with our CCM server. The problem I have is that the remote user can no longer acces the internet as everything is now sent down the tunnel. He was using a cicso softphone with a pc based vpn client and split tunnelling. This worked fine but I can't figure out how to do something similar on a LAN to LAN setup which I believe we need so he can use the hardphone. Is this even possible and if so can anyone tell what I need to configure to do it  because it's got me stumped?
0
Comment
Question by:chrisk61
  • 3
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12318500
Check the 837 config has an access list permitting the internal network access to the outside.

This link may help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

If not, could you post up the 837 config ?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12318503
(it's unlikely to be a VPN 3000 issue)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12318660
It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
 You might have something like
  access-list 101 permit ip any <remote lan> mask

 Where you should have
    access-list 101 permit ip <local lan> mask <remote lan> mask

0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:chrisk61
ID: 12319626
Hi All

The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?

Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer ***.***.19.20
 set transform-set SDM_TRANSFORMSET_1
 match address 100
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 10.1.4.254 255.255.255.0
 ip helper-address 10.1.1.10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address ***.***.237.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname **********
 ppp chap password 0 ********
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password *****
 login
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12319728
Here's a step by step guide:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

You're missing the NAT configuratins.

   interface Eth0
    ip nat inside
 
   interface Dialer0
     ip nat outside

   ip nat inside source route-map nonat interface Dialer0 overload

access-list 105 deny   ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 105

0
 

Author Comment

by:chrisk61
ID: 12320195
Thanks big time, your a lifesaver. Everything is working perfectly now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12320508
You are most welcome. Glad to help..
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question