[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1701
  • Last Modified:

LAN to LAN VPN with internet access?

I have a LAN to LAN VPN set up between a cisco 837 router and 3005 concentrator. The connection is set up to enable a remote cisco 7960 hardphone to register with our CCM server. The problem I have is that the remote user can no longer acces the internet as everything is now sent down the tunnel. He was using a cicso softphone with a pc based vpn client and split tunnelling. This worked fine but I can't figure out how to do something similar on a LAN to LAN setup which I believe we need so he can use the hardphone. Is this even possible and if so can anyone tell what I need to configure to do it  because it's got me stumped?
0
chrisk61
Asked:
chrisk61
  • 3
  • 2
  • 2
1 Solution
 
Tim HolmanCommented:
Check the 837 config has an access list permitting the internal network access to the outside.

This link may help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

If not, could you post up the 837 config ?
0
 
Tim HolmanCommented:
(it's unlikely to be a VPN 3000 issue)
0
 
lrmooreCommented:
It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
 You might have something like
  access-list 101 permit ip any <remote lan> mask

 Where you should have
    access-list 101 permit ip <local lan> mask <remote lan> mask

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
chrisk61Author Commented:
Hi All

The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?

Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer ***.***.19.20
 set transform-set SDM_TRANSFORMSET_1
 match address 100
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 10.1.4.254 255.255.255.0
 ip helper-address 10.1.1.10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address ***.***.237.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname **********
 ppp chap password 0 ********
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password *****
 login
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
lrmooreCommented:
Here's a step by step guide:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

You're missing the NAT configuratins.

   interface Eth0
    ip nat inside
 
   interface Dialer0
     ip nat outside

   ip nat inside source route-map nonat interface Dialer0 overload

access-list 105 deny   ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 105

0
 
chrisk61Author Commented:
Thanks big time, your a lifesaver. Everything is working perfectly now.
0
 
lrmooreCommented:
You are most welcome. Glad to help..
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now