?
Solved

Cisco router with 2 sub serial interfaces 1 for internet and 1 for vpn to central office.  Router suggestions?

Posted on 2005-04-12
9
Medium Priority
?
221 Views
Last Modified: 2010-03-17
I have a vpn setup through my service provider.  There are now 2 serial ports on my router.  One for direct internet access and the other for vpn access to my satelite site.  I currently have firewalls running NAT at each site.  I'm not sure and that is the reason for this question is to get some advice, but I think I may have to run the firewalls in bridging mode and then configure nat on the routers.  So then i can put static routes in the router for the lan addresses accessing a lan address in the central or satelite office to go across the vpn serial port and then the rest of the normal internet traffic can travel across the internet serial port.  Problem is I'm uncertain as to how to do this on a cisco 1600 in the central office and a cisco 1720 in the satelite office.  Any suggestions?
0
Comment
Question by:tommoran
  • 5
  • 4
9 Comments
 
LVL 6

Expert Comment

by:magicomminc
ID: 13796658
Not very clear what you want to do, is the VPN provided by ISP or you have to build site-to-site VPN use your 1720 and 1600?
0
 
LVL 1

Author Comment

by:tommoran
ID: 13797705
Vpn is built by the provider
0
 
LVL 6

Expert Comment

by:magicomminc
ID: 13798764
Can you please draw a simple diagram or router running-config?
See if I understand this is what you want to implement:
1) Central office: 1600, 2 serial, 1 Ethernet. One of the serial is for Internet, other one is for VPN connection to your remote office. Ethernet is for your certral office LAN
2) remote office: 1720, 1 serial, 1 Ethernet. Serial is for VPN connection back to central office, Ethernet is for your remote office LAN.
3) VPN is done by ISP, you don't have to have set up site-to-site VPN on your routers.
Am I right?
question:
which mode of firewall do you have at your remote site? and is that "NAT" for your office-to-office  or office-to-Internet traffic? you want your central office be able to access your remote office network and vice versa, also you want your certral office to access Internet, right?
Please confirm.

0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 1

Author Comment

by:tommoran
ID: 13799281
You are exactly correct with your statement.  Let me see if I can diagram it for you.

                        |-------------------------ISP Direct Internet Access--------------------------|
                        |                                                                                                     |
                        |                    |----------------ISP VPN Access----------------|                |
               Serial0/0.16    Serial0/0.560                                            Serial0.561    Serial0.16
               --------------------------------                                             ---------------------------
               |          Cisco 1760            |                                            |        Cisco 1600        |
               --------------------------------                                             ---------------------------
                       FastEthernet0/0                                                              FastEthernet0
                                |                                                                                   |
                                |                                                                                   |
                  Public Firewall Interface                                                    Public Firewall Interface
               -----------------------------------                                          ----------------------------------
               | SonicWall 230 Running NAT |                                        | SonicWall 230 Running NAT |
               -----------------------------------                                         -----------------------------------
                Private Firewall Interface                                                     Private Firewall Interface
                                |                                                                                   |
                                |                                                                                   |
               -----------------------------------                                          --------------------------------
               |      LAN 172.30.20.0/24       |                                          |    LAN 172.30.10.0/24     |    
               -----------------------------------                                          --------------------------------

I sure hope I was detailed enough.  Thank you for your help and interest in my question.
0
 
LVL 6

Expert Comment

by:magicomminc
ID: 13799994
You are right.
In this case, you don't want your firewall doing any NAT(bridge mode), and you configure NAT on your routers and put static routes to allow access to other side of the VPN tunnel and default route to Internet, on your 1760 router, something like this:
ip route 171.30.10.0 255.255.255.0 s0/0.560
ip route 0.0.0.0 0.0.0.0 s0/0.16
You can also user policy route if you want to more restrict, but that will add certain load on your router, specially 1600 is not very power box.
0
 
LVL 1

Author Comment

by:tommoran
ID: 13801481
Can the 1720 handle the more deatailed policy settings?
0
 
LVL 1

Author Comment

by:tommoran
ID: 13801915
I guess another question is:

   Which interface do I set as the outside NAT interface?  I am guessing the serial0/0.16 since the other serial sees the lan ip and not a nat'd ip.  I really appreciate your help.  I am certain this will take care of my problems.
0
 
LVL 6

Accepted Solution

by:
magicomminc earned 2000 total points
ID: 13802128
Correct, you only need to NAT(PAT) internet traffic, in this case is serial0/0.16. 1720 certainly has more power than 1600, it can handle that no problem.
if you want to use policy-map to seperate LAN and Internet traffic:
...
ip nat inside source route-map internet-traffic interface serial0/0.16 overload
..
access-list 120 permit ip 172.30.20.0 0.0.0.255 172.30.10.0 0.0.0.255
access-list 160 deny ip 172.30.20.0 0.0.0.255 172.30.10.0 0.0.0.255
access-list 160 permit ip 172.30.20.0 0.0.255 any
...
route-map Internet-traffic permit 10
   match address 160
   match interface serial0/0.16
route-map VPN-traffic permit 10
   match address 120
   match interface serial0.0.560
0
 
LVL 1

Author Comment

by:tommoran
ID: 13890333
Worked like a charm.  Thanks for the help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question