VPN tunnel and Internet access with 2 Cisco 2611s

Posted on 2005-04-15
Last Modified: 2012-06-27
I need to setup a WAN for a company that is geographically separated. Here is a simple diagram of the layout:

LAN3 and LAN2 has a T1 connection to the Internet. All traffic originating from LAN3(intranet and Internet) is routed through LAN2. Each site is connected to the Internet with a Cisco 2611 router. LAN2 needs interdomain traffic to LAN3 plus LAN2 has services published on the Internet as well as users who access the Internet.

I want to set up a VPN site-to-site tunnel between LAN3 and LAN2 with the Cisco routers. Also the traffic destined to and from LAN2 and the Internet must function as well.

LAN3 will have all traffic going through the tunnel to LAN2. My question is, is it possible to use the one T1 frame connection on LAN2 to tunnel traffic to LAN3 and also allow Internet traffic to flow from LAN2 to the Internet and back? Is there a better solution? I have very short time to come up with a solution.

Im very comfortable with Cisco routers, but have never set up a site-to-site VPN with Cisco equipment. (Microsoft yes, and VPN for remote access on a PIX, but not a Cisco router)

Thank very much in advance.
Question by:Zwolle
    LVL 6

    Accepted Solution

    Hi Bobby,
    Yes, it is possible to have one T1 connection to Internet at LAN2 with site-to-site VPN tunnel to LAN3 and meanwhile allow users from LAN2 to access Internet and publish services, see below for example, your LAN2:, LAN3:, on your LAN2 router:
    crypto isakmp policy 10
     hash md5
     authentication pre-share
    crypto isakmp key <secretkey> address <LAN3 T1 Internet address>
    crypto ipsec transform-set strong esp-des esp-md5-hmac
    crypto map mymap 10 ipsec-isakmp
     set peer <LAN3 T1 Internet address>
     set transform-set strong
     match address 100
    interface FastEthernet0
     ip address
     ip nat inside
     speed 100
    interface Serial0
     ip address <LAN2 T1 Internet address>
     ip nat outside
     crypto map mymap
    ip classless
    ip route < LAN2 T1 Serial0 GW>
    ip nat inside source route-map Internet-traffic interface S0 overload
    access-list 100 permit ip
    access-list 110 deny   ip
    access-list 110 permit ip any
    route-map Internet-traffic permit 10
     match ip address 110
    ACL-100 is for all your tunnel traffic (LAN2 to LAN3) and ACL-110 is for all your local Internet access.
    You will need a similar configure for your router at LAN3 (opposite source and destination).
    Alternatively, if you can get a DSL or Cable Internet access for your LAN2 location, you can configure your router to use S0 for all your tunnel traffic and ,say fastethernet1 to DSL for all your Internet traffic, similar ACL can be used:
    route-map Internet-traffic permit 10
     match ip address 110
     match interface fastethernet 1

    Author Comment

    Damn thanks! I was just looking at first to make sure this could be done before I took a shot at it. I did not expect the whole configuration! I will have to wait until 21st to try this. I have a 2611 with the right IOS for the job, but I found out today that the 2524 could not be upgraded to run the right bundle. I already got the okay to get a 2650XM. I will try this out in a lab environment and get back to you.

    Once again thanks!! I don't know what to say..this is too cool.

    Bobby-aka "Z"
    LVL 6

    Expert Comment

    Glad to help.
    2500 series are EOL. Have you check out the new 2800 series router yet? they are Security Integrated Routers (built-in VPN module) and absolutely out performed 2600 series and same price level! I did some through put test for small packet over VPN 3DES tunnel, it rocks (low CPU usage)! I can provide you those throughput test result if you are interested.

    Author Comment

    Absolutely. I have not ordered the router yet. Email or post?

    LVL 6

    Expert Comment

    Routing Performance; Platform Positioning 64 byte IP traffic only
    2801 Up to 90 Kpps
    2811 Up to 120 Kpps
    2821 Up to 170 Kpps
    Cisco 2600 Series System Specifications; based on 64-byte packets
    2610/11XM 20Kpps
    2620/21XM 30Kpps
    2650/51XM 40Kpps
    2691 70Kpps
    below are from Cisco docs:
    New Cisco Integrated Security Routers
    Security Performance;
    Cisco 3845, 1.1 Gbps F/W, 185 Mbps IPsec VPN, 425 Mbps IPS, 2500 Tunnels
    Cisco 3825, 855 Mbps F/W, 175 Mbps IPsec VPN, 325 Mbps IPS, 2,000 Tunnels
    Cisco 2851, 530 Mbps F/W, 145 Mbps IPsec VPN, 250 Mbps IPS, 1500 Tunnels
    Cisco 2821, 455 Mbps F/W, 140 Mbps IPsec VPN, 200 Mbps IPS, 1500 Tunnels
    Cisco 2811, 130 Mbps F/W, 130 Mbps IPsec VPN, 70 Mbps IPS, 1500 Tunnels
    Cisco 2801, 127 Mbps F/W, 100 Mbps IPsec VPN, 65 Mbps IPS, 1500 Tunnels
    Cisco 1841, 125 Mbps F/W, 95 Mbps IPsec VPN, 60 Mbps IPS, 800 Tunnels
    Firewall performance is with NAT and logging enabled. IPS Branch scenario when tested with optimal traffic conditions.
    let me know if you need more info (leave your email).


    Author Comment

    I think I got approval for two of the new 2811s. If so I will use the config you sent me as a guide to setting up the VPN. Thanks for your help Magic!


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Title # Comments Views Activity
    Default DNS server and VPN 7 45
    Cisco AnyConnect Licenses 2 33
    Use VPN with local DHCP settings 17 89
    iOS and VPN 6 107
    When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
    Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now