Link to home
Start Free TrialLog in
Avatar of tommoran
tommoran

asked on

Cisco router with 2 sub serial interfaces 1 for internet and 1 for vpn to central office. Router suggestions?

I have a vpn setup through my service provider.  There are now 2 serial ports on my router.  One for direct internet access and the other for vpn access to my satelite site.  I currently have firewalls running NAT at each site.  I'm not sure and that is the reason for this question is to get some advice, but I think I may have to run the firewalls in bridging mode and then configure nat on the routers.  So then i can put static routes in the router for the lan addresses accessing a lan address in the central or satelite office to go across the vpn serial port and then the rest of the normal internet traffic can travel across the internet serial port.  Problem is I'm uncertain as to how to do this on a cisco 1600 in the central office and a cisco 1720 in the satelite office.  Any suggestions?
Avatar of magicomminc
magicomminc

Not very clear what you want to do, is the VPN provided by ISP or you have to build site-to-site VPN use your 1720 and 1600?
Avatar of tommoran

ASKER

Vpn is built by the provider
Can you please draw a simple diagram or router running-config?
See if I understand this is what you want to implement:
1) Central office: 1600, 2 serial, 1 Ethernet. One of the serial is for Internet, other one is for VPN connection to your remote office. Ethernet is for your certral office LAN
2) remote office: 1720, 1 serial, 1 Ethernet. Serial is for VPN connection back to central office, Ethernet is for your remote office LAN.
3) VPN is done by ISP, you don't have to have set up site-to-site VPN on your routers.
Am I right?
question:
which mode of firewall do you have at your remote site? and is that "NAT" for your office-to-office  or office-to-Internet traffic? you want your central office be able to access your remote office network and vice versa, also you want your certral office to access Internet, right?
Please confirm.

You are exactly correct with your statement.  Let me see if I can diagram it for you.

                        |-------------------------ISP Direct Internet Access--------------------------|
                        |                                                                                                     |
                        |                    |----------------ISP VPN Access----------------|                |
               Serial0/0.16    Serial0/0.560                                            Serial0.561    Serial0.16
               --------------------------------                                             ---------------------------
               |          Cisco 1760            |                                            |        Cisco 1600        |
               --------------------------------                                             ---------------------------
                       FastEthernet0/0                                                              FastEthernet0
                                |                                                                                   |
                                |                                                                                   |
                  Public Firewall Interface                                                    Public Firewall Interface
               -----------------------------------                                          ----------------------------------
               | SonicWall 230 Running NAT |                                        | SonicWall 230 Running NAT |
               -----------------------------------                                         -----------------------------------
                Private Firewall Interface                                                     Private Firewall Interface
                                |                                                                                   |
                                |                                                                                   |
               -----------------------------------                                          --------------------------------
               |      LAN 172.30.20.0/24       |                                          |    LAN 172.30.10.0/24     |    
               -----------------------------------                                          --------------------------------

I sure hope I was detailed enough.  Thank you for your help and interest in my question.
You are right.
In this case, you don't want your firewall doing any NAT(bridge mode), and you configure NAT on your routers and put static routes to allow access to other side of the VPN tunnel and default route to Internet, on your 1760 router, something like this:
ip route 171.30.10.0 255.255.255.0 s0/0.560
ip route 0.0.0.0 0.0.0.0 s0/0.16
You can also user policy route if you want to more restrict, but that will add certain load on your router, specially 1600 is not very power box.
Can the 1720 handle the more deatailed policy settings?
I guess another question is:

   Which interface do I set as the outside NAT interface?  I am guessing the serial0/0.16 since the other serial sees the lan ip and not a nat'd ip.  I really appreciate your help.  I am certain this will take care of my problems.
ASKER CERTIFIED SOLUTION
Avatar of magicomminc
magicomminc

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Worked like a charm.  Thanks for the help.