Solved

Configure 2 Cisco routers to pass VLAN traffic over VPN

Posted on 2009-05-07
20
840 Views
Last Modified: 2012-05-06
Hello,

We're trying to set up a point to point VPN between a remote location and the main building.

Remote location: 2801 & 3750 switch
Main building: 2811 plugged into a 2950. The 2950 is connected to our edge 2811. 2950 also connected to our 3750 switch stack

So far we've configured the 2801, put a laptop behind it w a public IP and have gotten out to the Internet.
The 2811 is connected to a 2950, which is connected to a 2811 (our border router)

We've created site to site VPN tunnel w/preshare key using the SDM wizard but haven't tested yet. Hope to do that today.

Two questions. One, do we have the necessary components to make this work? Two, how can we pass VLAN traffic over the link? The idea is to have all remote office traffic come back to the main building and then either go on our network or out to the Internet.

Apologies if this is confusing. I'm a VERY rusty CCNA.

Thanks!
0
Comment
Question by:lucado01
  • 12
  • 8
20 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24327769
Yes, you have all the components.  This is quite simple if the remote and main PC's have the 28xx as their default gateway.  If you want to tunnel all traffic from the remote site, you'll use "any" as the destination on the remote 2801 and "any" as the source on the main 2811 router in the crypto/interesting traffic access-list.  NAT will need to be setup appropriately on the 2811 to hairpin remote Internet bound traffic.
0
 

Author Comment

by:lucado01
ID: 24327898
Great, we're going to test the tunnel today and then work on the getting the switches ready. If everything goes well, I should have an answer for you by late tomorrow/Monday.
0
 

Author Comment

by:lucado01
ID: 24328781
Running into a snag. I've got the 2801 set up but I can still get out to the Internet. When I run show crypto ipsec sa I see 110 send errors so I know the problem is with the config.

I've read that the LAN network needs to be mentioned in the access list for the tunnel. I notice in the config that isn't there, it shows the serial IP. The ip route of the 2801 is set to 0.0.0.0 0.0.0.0 Serial0/2/0:0. If I change the the ip route I lose connectivity.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24328885
The default ip route should be via Serial0/2/0:0.

The LAN subnets should be in the tunnel access-list (not the serial).
0
 

Author Comment

by:lucado01
ID: 24330711
Yes, that got it. Tunnel is now up, on to the switches.
0
 

Author Comment

by:lucado01
ID: 24358459
Stuck again.

From the remote site, I can assign a private IP to a laptop and have it ping the private interface of the main building 2811, on the other side of the tunnel. However, I can't ping the interface for the main switch stack and can't get DNS, etc.

So the tunnel looks good but we can't get to the core switch stack at the main building.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24360474
Are those subnets part of the crypto access-list?  Is there routing to the remote network? i.e. is the 2811 at the main office the default gateway to the Internet?
0
 

Author Comment

by:lucado01
ID: 24398090
Sorry for the late reply.

We have the tunnel set up between the serial interface at the remote office and fe 0/1 at the main office (what we'd call a public IP). The crypto access list is one entry on each side with any being the destination from the remote office and any being the source from the main office.

So the tunnel is up but we can't communicate to any of the internal networks. When we try to add the subnet routes (through SDM), it doesn't do anything. We've listed three subnets on each device with their own subinterface. We set up the VLAN ID's and encapsulation.

The 2811 at the main office is not listed as the default gateway to the Internet. We've put in a call to cisco and sent them the configs but will take any assistance we can get.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398108
If the 2811 at the main office isn't the default gateway or path to the Internet, your internal router needs a route to the remote office subnets via the 2811.
0
 

Author Comment

by:lucado01
ID: 24398260
OK, so just to clarify:

At the main office we have our border router, a 2811 which is the default gateway and path to the Internet.
Connected to the 2811 is a 2950. Connected to it is the 2811 we have just implemented and are trying to get working to the remote 2801.
So add a route for the 2801 subnet to the new 2811?  
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398358
On the 2811 which is the default gateway for the network, add a static route to the 2801 LAN subnets via the new 2811's "LAN" interface.
0
 

Author Comment

by:lucado01
ID: 24486910
We have everything working now, except one thing...

Internet traffic from the remote office cannot get out. I know you said that Internet traffic needed to hairpin at the main router but we have a proxy server in our DMZ that serves all Internet traffic. We have that DMZ network listed in the ACL but nothing is going out.

The DMZ network is currently not a VLAN. Do we need to make it a VLAN and then create a subinterface on the main router with one of those IP's so the remote office can route to it?

Thanks for all of your help, we're just about done!
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24493359
The VLAN doesn't matter, as long as routing is in place, i.e. as long as the remote access 2811 has a route to the proxy server (DMZ subnet). and the proxy server has a route back to the remote office subnet.  Verify routing is there in both directions.
0
 

Author Comment

by:lucado01
ID: 24494933
OK. When we try and ping the proxy from the remote office, we don't see anything in our firewall attempting to get to the DMZ. We can ping the interface on the HQ router for that network.  Might this be a Checkpoint issue?
0
 

Author Comment

by:lucado01
ID: 24495119
The firewall has the route (where the DMZ subnet lives) back to the remote office subnet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24495299
Could be your Firewall policy.  Is it allowing the remote office subnet access to the Proxy server?
0
 

Author Comment

by:lucado01
ID: 24495645
No. We can't even ssh to the proxy server from the remote subnet.
0
 

Author Comment

by:lucado01
ID: 24495682
It looks like the firewall is allowing the traffic. To put it another way, we don't see anything obvious from the firewall denying the remote subnet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24496454
Is the proxy server ISA by chance?  If so, there may be subnet definitions necessary for the remote subnet in ISA.
0
 

Author Comment

by:lucado01
ID: 24498831
Proxy server is squid
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now