Solved

LAN to LAN VPN with internet access?

Posted on 2004-10-15
7
1,688 Views
Last Modified: 2010-04-12
I have a LAN to LAN VPN set up between a cisco 837 router and 3005 concentrator. The connection is set up to enable a remote cisco 7960 hardphone to register with our CCM server. The problem I have is that the remote user can no longer acces the internet as everything is now sent down the tunnel. He was using a cicso softphone with a pc based vpn client and split tunnelling. This worked fine but I can't figure out how to do something similar on a LAN to LAN setup which I believe we need so he can use the hardphone. Is this even possible and if so can anyone tell what I need to configure to do it  because it's got me stumped?
0
Comment
Question by:chrisk61
  • 3
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12318500
Check the 837 config has an access list permitting the internal network access to the outside.

This link may help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

If not, could you post up the 837 config ?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12318503
(it's unlikely to be a VPN 3000 issue)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12318660
It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
 You might have something like
  access-list 101 permit ip any <remote lan> mask

 Where you should have
    access-list 101 permit ip <local lan> mask <remote lan> mask

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:chrisk61
ID: 12319626
Hi All

The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?

Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer ***.***.19.20
 set transform-set SDM_TRANSFORMSET_1
 match address 100
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 10.1.4.254 255.255.255.0
 ip helper-address 10.1.1.10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address ***.***.237.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname **********
 ppp chap password 0 ********
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password *****
 login
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12319728
Here's a step by step guide:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

You're missing the NAT configuratins.

   interface Eth0
    ip nat inside
 
   interface Dialer0
     ip nat outside

   ip nat inside source route-map nonat interface Dialer0 overload

access-list 105 deny   ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 105

0
 

Author Comment

by:chrisk61
ID: 12320195
Thanks big time, your a lifesaver. Everything is working perfectly now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12320508
You are most welcome. Glad to help..
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now