tommoran
asked on
Cisco router with 2 sub serial interfaces 1 for internet and 1 for vpn to central office. Router suggestions?
I have a vpn setup through my service provider. There are now 2 serial ports on my router. One for direct internet access and the other for vpn access to my satelite site. I currently have firewalls running NAT at each site. I'm not sure and that is the reason for this question is to get some advice, but I think I may have to run the firewalls in bridging mode and then configure nat on the routers. So then i can put static routes in the router for the lan addresses accessing a lan address in the central or satelite office to go across the vpn serial port and then the rest of the normal internet traffic can travel across the internet serial port. Problem is I'm uncertain as to how to do this on a cisco 1600 in the central office and a cisco 1720 in the satelite office. Any suggestions?
Not very clear what you want to do, is the VPN provided by ISP or you have to build site-to-site VPN use your 1720 and 1600?
ASKER
Vpn is built by the provider
Can you please draw a simple diagram or router running-config?
See if I understand this is what you want to implement:
1) Central office: 1600, 2 serial, 1 Ethernet. One of the serial is for Internet, other one is for VPN connection to your remote office. Ethernet is for your certral office LAN
2) remote office: 1720, 1 serial, 1 Ethernet. Serial is for VPN connection back to central office, Ethernet is for your remote office LAN.
3) VPN is done by ISP, you don't have to have set up site-to-site VPN on your routers.
Am I right?
question:
which mode of firewall do you have at your remote site? and is that "NAT" for your office-to-office or office-to-Internet traffic? you want your central office be able to access your remote office network and vice versa, also you want your certral office to access Internet, right?
Please confirm.
See if I understand this is what you want to implement:
1) Central office: 1600, 2 serial, 1 Ethernet. One of the serial is for Internet, other one is for VPN connection to your remote office. Ethernet is for your certral office LAN
2) remote office: 1720, 1 serial, 1 Ethernet. Serial is for VPN connection back to central office, Ethernet is for your remote office LAN.
3) VPN is done by ISP, you don't have to have set up site-to-site VPN on your routers.
Am I right?
question:
which mode of firewall do you have at your remote site? and is that "NAT" for your office-to-office or office-to-Internet traffic? you want your central office be able to access your remote office network and vice versa, also you want your certral office to access Internet, right?
Please confirm.
ASKER
You are exactly correct with your statement. Let me see if I can diagram it for you.
|------------------------- ISP Direct Internet Access-------------------- ------|
| |
| |----------------ISP VPN Access----------------| |
Serial0/0.16 Serial0/0.560 Serial0.561 Serial0.16
-------------------------- ------ -------------------------- -
| Cisco 1760 | | Cisco 1600 |
-------------------------- ------ -------------------------- -
FastEthernet0/0 FastEthernet0
| |
| |
Public Firewall Interface Public Firewall Interface
-------------------------- --------- -------------------------- --------
| SonicWall 230 Running NAT | | SonicWall 230 Running NAT |
-------------------------- --------- -------------------------- ---------
Private Firewall Interface Private Firewall Interface
| |
| |
-------------------------- --------- -------------------------- ------
| LAN 172.30.20.0/24 | | LAN 172.30.10.0/24 |
-------------------------- --------- -------------------------- ------
I sure hope I was detailed enough. Thank you for your help and interest in my question.
|-------------------------
| |
| |----------------ISP VPN Access----------------| |
Serial0/0.16 Serial0/0.560 Serial0.561 Serial0.16
--------------------------
| Cisco 1760 | | Cisco 1600 |
--------------------------
FastEthernet0/0 FastEthernet0
| |
| |
Public Firewall Interface Public Firewall Interface
--------------------------
| SonicWall 230 Running NAT | | SonicWall 230 Running NAT |
--------------------------
Private Firewall Interface Private Firewall Interface
| |
| |
--------------------------
| LAN 172.30.20.0/24 | | LAN 172.30.10.0/24 |
--------------------------
I sure hope I was detailed enough. Thank you for your help and interest in my question.
You are right.
In this case, you don't want your firewall doing any NAT(bridge mode), and you configure NAT on your routers and put static routes to allow access to other side of the VPN tunnel and default route to Internet, on your 1760 router, something like this:
ip route 171.30.10.0 255.255.255.0 s0/0.560
ip route 0.0.0.0 0.0.0.0 s0/0.16
You can also user policy route if you want to more restrict, but that will add certain load on your router, specially 1600 is not very power box.
In this case, you don't want your firewall doing any NAT(bridge mode), and you configure NAT on your routers and put static routes to allow access to other side of the VPN tunnel and default route to Internet, on your 1760 router, something like this:
ip route 171.30.10.0 255.255.255.0 s0/0.560
ip route 0.0.0.0 0.0.0.0 s0/0.16
You can also user policy route if you want to more restrict, but that will add certain load on your router, specially 1600 is not very power box.
ASKER
Can the 1720 handle the more deatailed policy settings?
ASKER
I guess another question is:
Which interface do I set as the outside NAT interface? I am guessing the serial0/0.16 since the other serial sees the lan ip and not a nat'd ip. I really appreciate your help. I am certain this will take care of my problems.
Which interface do I set as the outside NAT interface? I am guessing the serial0/0.16 since the other serial sees the lan ip and not a nat'd ip. I really appreciate your help. I am certain this will take care of my problems.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked like a charm. Thanks for the help.