• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1062
  • Last Modified:

Tunnel Internet Traffic over Cisco VPN Tunnel

I have several locations connected with IPSec VPNs and for a single IP at the location 3, I would like to tunnel all internet traffic through the IPSec VPN tunnel to location 1. I'm not sure what I need to change on the config for both locations. They both use Cisco 2811 routers.

Location 1 Private Addressing: 192.168.1.0/24
Location 1 Cisco 2811: 192.168.1.254
Location 2 Private Addressing: 192.168.8.0/24
Location 2 Cisco 2811: 192.168.8.254
Location 3 Private Addressing: 192.168.11.0/24
Location 3 Cisco 2811: 192.168.11.254

The Location 3 IP I want to route internet traffic through Location 1's internet is: 192.168.11.245


This is the config from location 3:

ip inspect name inspect-basic appfw inspect-basic
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic https
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic http java-list 51 urlfilter
!
appfw policy-name inspect-basic
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
password encryption aes
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 hash md5
 authentication pre-share
!
crypto isakmp policy 81
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <tunnel 1 shared key info>
crypto isakmp key <tunnel 2 shared key info>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map ra-dynmap-1 1
 set transform-set ESP-3DES-MD5
 reverse-route
!
!
crypto map corporate-vpn-map 1 ipsec-isakmp
 description <tunnel 1>
 set peer <tunnel 1 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 1>-vpn-acl
crypto map corporate-vpn-map 2 ipsec-isakmp
 description <tunnel 2>
 set peer <tunnel 2 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 2>-vpn-acl
!
!
!
interface FastEthernet0/0
 ip address <public ip> 255.255.255.248
 ip access-group acl-wan-in in
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map corporate-vpn-map
!
interface FastEthernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
!
!
ip http server
no ip http secure-server
ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-wan-in
 permit udp any host <public ip> eq non500-isakmp
 permit udp any host <public ip> eq isakmp
 permit esp any host <public ip>
 permit ahp any host <public ip>
 permit tcp any host <public ip> eq 4949
 deny   ip any any log
ip access-list extended <tunnel 1>-vpn-acl
 remark <tunnel 1> VPN rules
 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254
ip access-list extended block-vpn-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.250.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map block-vpn-on-nat permit 10
 match ip address block-vpn-acl

--------------------------------------------------------------------------------
The config in location 1's router is the same except the IPs are reversed. What commands do I need to add to both configs to make this work?
0
_valkyrie_
Asked:
_valkyrie_
  • 2
1 Solution
 
bgoeringCommented:
Change

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


To

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.x 255.255.255.255 any
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


Where the ".x" is the IP you are tracking
0
 
anoopkmrCommented:
since u dont need to use the local internet at site 3 ; please note for ur requirement the whole traffic will go through the tunnel

at site 3

1) no ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload

2) int f0/0
    no ip nat outside
     int f0/1
    no ip nat inside

3) i hope below is the tunnel config for site 1
crypto map corporate-vpn-map 1 ipsec-isakmp

so type

ip access-list extended -vpn-acl
permit ip 192.168.11.0 0.0.0.255 any



at site 1 router

crypto acl for site1 has to be modified like this

ip access-list extended -vpn-acl
permit ip any 192.168.11.0 0.0.0.255


0
 
_valkyrie_Author Commented:
bgoering: I'll try that solution tonight at the plant.

anoopkmr: I don't want traffic for the entire subnet to go through there, just a single IP's internet traffic: 192.168.11.245
0
 
anoopkmrCommented:
ohh sorry I didn't notice that, thanks for the correction
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now