VPN tunnel and Internet access with 2 Cisco 2611s

I need to setup a WAN for a company that is geographically separated. Here is a simple diagram of the layout:

LAN3 and LAN2 has a T1 connection to the Internet. All traffic originating from LAN3(intranet and Internet) is routed through LAN2. Each site is connected to the Internet with a Cisco 2611 router. LAN2 needs interdomain traffic to LAN3 plus LAN2 has services published on the Internet as well as users who access the Internet.

I want to set up a VPN site-to-site tunnel between LAN3 and LAN2 with the Cisco routers. Also the traffic destined to and from LAN2 and the Internet must function as well.

LAN3 will have all traffic going through the tunnel to LAN2. My question is, is it possible to use the one T1 frame connection on LAN2 to tunnel traffic to LAN3 and also allow Internet traffic to flow from LAN2 to the Internet and back? Is there a better solution? I have very short time to come up with a solution.

Im very comfortable with Cisco routers, but have never set up a site-to-site VPN with Cisco equipment. (Microsoft yes, and VPN for remote access on a PIX, but not a Cisco router)

Thank very much in advance.
Who is Participating?
Hi Bobby,
Yes, it is possible to have one T1 connection to Internet at LAN2 with site-to-site VPN tunnel to LAN3 and meanwhile allow users from LAN2 to access Internet and publish services, see below for example, your LAN2:, LAN3:, on your LAN2 router:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key <secretkey> address <LAN3 T1 Internet address>
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer <LAN3 T1 Internet address>
 set transform-set strong
 match address 100
interface FastEthernet0
 ip address
 ip nat inside
 speed 100
interface Serial0
 ip address <LAN2 T1 Internet address>
 ip nat outside
 crypto map mymap
ip classless
ip route < LAN2 T1 Serial0 GW>
ip nat inside source route-map Internet-traffic interface S0 overload
access-list 100 permit ip
access-list 110 deny   ip
access-list 110 permit ip any
route-map Internet-traffic permit 10
 match ip address 110
ACL-100 is for all your tunnel traffic (LAN2 to LAN3) and ACL-110 is for all your local Internet access.
You will need a similar configure for your router at LAN3 (opposite source and destination).
Alternatively, if you can get a DSL or Cable Internet access for your LAN2 location, you can configure your router to use S0 for all your tunnel traffic and ,say fastethernet1 to DSL for all your Internet traffic, similar ACL can be used:
route-map Internet-traffic permit 10
 match ip address 110
 match interface fastethernet 1
ZwolleAuthor Commented:
Damn thanks! I was just looking at first to make sure this could be done before I took a shot at it. I did not expect the whole configuration! I will have to wait until 21st to try this. I have a 2611 with the right IOS for the job, but I found out today that the 2524 could not be upgraded to run the right bundle. I already got the okay to get a 2650XM. I will try this out in a lab environment and get back to you.

Once again thanks!! I don't know what to say..this is too cool.

Bobby-aka "Z"
Glad to help.
2500 series are EOL. Have you check out the new 2800 series router yet? they are Security Integrated Routers (built-in VPN module) and absolutely out performed 2600 series and same price level! I did some through put test for small packet over VPN 3DES tunnel, it rocks (low CPU usage)! I can provide you those throughput test result if you are interested.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

ZwolleAuthor Commented:
Absolutely. I have not ordered the router yet. Email or post?

Routing Performance; Platform Positioning 64 byte IP traffic only
2801 Up to 90 Kpps
2811 Up to 120 Kpps
2821 Up to 170 Kpps
Cisco 2600 Series System Specifications; based on 64-byte packets
2610/11XM 20Kpps
2620/21XM 30Kpps
2650/51XM 40Kpps
2691 70Kpps
below are from Cisco docs:
New Cisco Integrated Security Routers
Security Performance;
Cisco 3845, 1.1 Gbps F/W, 185 Mbps IPsec VPN, 425 Mbps IPS, 2500 Tunnels
Cisco 3825, 855 Mbps F/W, 175 Mbps IPsec VPN, 325 Mbps IPS, 2,000 Tunnels
Cisco 2851, 530 Mbps F/W, 145 Mbps IPsec VPN, 250 Mbps IPS, 1500 Tunnels
Cisco 2821, 455 Mbps F/W, 140 Mbps IPsec VPN, 200 Mbps IPS, 1500 Tunnels
Cisco 2811, 130 Mbps F/W, 130 Mbps IPsec VPN, 70 Mbps IPS, 1500 Tunnels
Cisco 2801, 127 Mbps F/W, 100 Mbps IPsec VPN, 65 Mbps IPS, 1500 Tunnels
Cisco 1841, 125 Mbps F/W, 95 Mbps IPsec VPN, 60 Mbps IPS, 800 Tunnels
Firewall performance is with NAT and logging enabled. IPS Branch scenario when tested with optimal traffic conditions.
let me know if you need more info (leave your email).

ZwolleAuthor Commented:
I think I got approval for two of the new 2811s. If so I will use the config you sent me as a guide to setting up the VPN. Thanks for your help Magic!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.