Configure 2 Cisco routers to pass VLAN traffic over VPN

Hello,

We're trying to set up a point to point VPN between a remote location and the main building.

Remote location: 2801 & 3750 switch
Main building: 2811 plugged into a 2950. The 2950 is connected to our edge 2811. 2950 also connected to our 3750 switch stack

So far we've configured the 2801, put a laptop behind it w a public IP and have gotten out to the Internet.
The 2811 is connected to a 2950, which is connected to a 2811 (our border router)

We've created site to site VPN tunnel w/preshare key using the SDM wizard but haven't tested yet. Hope to do that today.

Two questions. One, do we have the necessary components to make this work? Two, how can we pass VLAN traffic over the link? The idea is to have all remote office traffic come back to the main building and then either go on our network or out to the Internet.

Apologies if this is confusing. I'm a VERY rusty CCNA.

Thanks!
lucado01Asked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
The VLAN doesn't matter, as long as routing is in place, i.e. as long as the remote access 2811 has a route to the proxy server (DMZ subnet). and the proxy server has a route back to the remote office subnet.  Verify routing is there in both directions.
0
 
JFrederick29Commented:
Yes, you have all the components.  This is quite simple if the remote and main PC's have the 28xx as their default gateway.  If you want to tunnel all traffic from the remote site, you'll use "any" as the destination on the remote 2801 and "any" as the source on the main 2811 router in the crypto/interesting traffic access-list.  NAT will need to be setup appropriately on the 2811 to hairpin remote Internet bound traffic.
0
 
lucado01Author Commented:
Great, we're going to test the tunnel today and then work on the getting the switches ready. If everything goes well, I should have an answer for you by late tomorrow/Monday.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
lucado01Author Commented:
Running into a snag. I've got the 2801 set up but I can still get out to the Internet. When I run show crypto ipsec sa I see 110 send errors so I know the problem is with the config.

I've read that the LAN network needs to be mentioned in the access list for the tunnel. I notice in the config that isn't there, it shows the serial IP. The ip route of the 2801 is set to 0.0.0.0 0.0.0.0 Serial0/2/0:0. If I change the the ip route I lose connectivity.
0
 
JFrederick29Commented:
The default ip route should be via Serial0/2/0:0.

The LAN subnets should be in the tunnel access-list (not the serial).
0
 
lucado01Author Commented:
Yes, that got it. Tunnel is now up, on to the switches.
0
 
lucado01Author Commented:
Stuck again.

From the remote site, I can assign a private IP to a laptop and have it ping the private interface of the main building 2811, on the other side of the tunnel. However, I can't ping the interface for the main switch stack and can't get DNS, etc.

So the tunnel looks good but we can't get to the core switch stack at the main building.
0
 
JFrederick29Commented:
Are those subnets part of the crypto access-list?  Is there routing to the remote network? i.e. is the 2811 at the main office the default gateway to the Internet?
0
 
lucado01Author Commented:
Sorry for the late reply.

We have the tunnel set up between the serial interface at the remote office and fe 0/1 at the main office (what we'd call a public IP). The crypto access list is one entry on each side with any being the destination from the remote office and any being the source from the main office.

So the tunnel is up but we can't communicate to any of the internal networks. When we try to add the subnet routes (through SDM), it doesn't do anything. We've listed three subnets on each device with their own subinterface. We set up the VLAN ID's and encapsulation.

The 2811 at the main office is not listed as the default gateway to the Internet. We've put in a call to cisco and sent them the configs but will take any assistance we can get.
0
 
JFrederick29Commented:
If the 2811 at the main office isn't the default gateway or path to the Internet, your internal router needs a route to the remote office subnets via the 2811.
0
 
lucado01Author Commented:
OK, so just to clarify:

At the main office we have our border router, a 2811 which is the default gateway and path to the Internet.
Connected to the 2811 is a 2950. Connected to it is the 2811 we have just implemented and are trying to get working to the remote 2801.
So add a route for the 2801 subnet to the new 2811?  
0
 
JFrederick29Commented:
On the 2811 which is the default gateway for the network, add a static route to the 2801 LAN subnets via the new 2811's "LAN" interface.
0
 
lucado01Author Commented:
We have everything working now, except one thing...

Internet traffic from the remote office cannot get out. I know you said that Internet traffic needed to hairpin at the main router but we have a proxy server in our DMZ that serves all Internet traffic. We have that DMZ network listed in the ACL but nothing is going out.

The DMZ network is currently not a VLAN. Do we need to make it a VLAN and then create a subinterface on the main router with one of those IP's so the remote office can route to it?

Thanks for all of your help, we're just about done!
0
 
lucado01Author Commented:
OK. When we try and ping the proxy from the remote office, we don't see anything in our firewall attempting to get to the DMZ. We can ping the interface on the HQ router for that network.  Might this be a Checkpoint issue?
0
 
lucado01Author Commented:
The firewall has the route (where the DMZ subnet lives) back to the remote office subnet.
0
 
JFrederick29Commented:
Could be your Firewall policy.  Is it allowing the remote office subnet access to the Proxy server?
0
 
lucado01Author Commented:
No. We can't even ssh to the proxy server from the remote subnet.
0
 
lucado01Author Commented:
It looks like the firewall is allowing the traffic. To put it another way, we don't see anything obvious from the firewall denying the remote subnet.
0
 
JFrederick29Commented:
Is the proxy server ISA by chance?  If so, there may be subnet definitions necessary for the remote subnet in ISA.
0
 
lucado01Author Commented:
Proxy server is squid
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.