Solved

Tunnel Internet Traffic over Cisco VPN Tunnel

Posted on 2010-08-18
4
1,047 Views
Last Modified: 2012-05-10
I have several locations connected with IPSec VPNs and for a single IP at the location 3, I would like to tunnel all internet traffic through the IPSec VPN tunnel to location 1. I'm not sure what I need to change on the config for both locations. They both use Cisco 2811 routers.

Location 1 Private Addressing: 192.168.1.0/24
Location 1 Cisco 2811: 192.168.1.254
Location 2 Private Addressing: 192.168.8.0/24
Location 2 Cisco 2811: 192.168.8.254
Location 3 Private Addressing: 192.168.11.0/24
Location 3 Cisco 2811: 192.168.11.254

The Location 3 IP I want to route internet traffic through Location 1's internet is: 192.168.11.245


This is the config from location 3:

ip inspect name inspect-basic appfw inspect-basic
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic https
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic http java-list 51 urlfilter
!
appfw policy-name inspect-basic
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
password encryption aes
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 hash md5
 authentication pre-share
!
crypto isakmp policy 81
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <tunnel 1 shared key info>
crypto isakmp key <tunnel 2 shared key info>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map ra-dynmap-1 1
 set transform-set ESP-3DES-MD5
 reverse-route
!
!
crypto map corporate-vpn-map 1 ipsec-isakmp
 description <tunnel 1>
 set peer <tunnel 1 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 1>-vpn-acl
crypto map corporate-vpn-map 2 ipsec-isakmp
 description <tunnel 2>
 set peer <tunnel 2 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 2>-vpn-acl
!
!
!
interface FastEthernet0/0
 ip address <public ip> 255.255.255.248
 ip access-group acl-wan-in in
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map corporate-vpn-map
!
interface FastEthernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
!
!
ip http server
no ip http secure-server
ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-wan-in
 permit udp any host <public ip> eq non500-isakmp
 permit udp any host <public ip> eq isakmp
 permit esp any host <public ip>
 permit ahp any host <public ip>
 permit tcp any host <public ip> eq 4949
 deny   ip any any log
ip access-list extended <tunnel 1>-vpn-acl
 remark <tunnel 1> VPN rules
 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254
ip access-list extended block-vpn-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.250.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map block-vpn-on-nat permit 10
 match ip address block-vpn-acl

--------------------------------------------------------------------------------
The config in location 1's router is the same except the IPs are reversed. What commands do I need to add to both configs to make this work?
0
Comment
Question by:_valkyrie_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33464247
Change

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


To

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.x 255.255.255.255 any
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


Where the ".x" is the IP you are tracking
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33464319
since u dont need to use the local internet at site 3 ; please note for ur requirement the whole traffic will go through the tunnel

at site 3

1) no ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload

2) int f0/0
    no ip nat outside
     int f0/1
    no ip nat inside

3) i hope below is the tunnel config for site 1
crypto map corporate-vpn-map 1 ipsec-isakmp

so type

ip access-list extended -vpn-acl
permit ip 192.168.11.0 0.0.0.255 any



at site 1 router

crypto acl for site1 has to be modified like this

ip access-list extended -vpn-acl
permit ip any 192.168.11.0 0.0.0.255


0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 33467599
bgoering: I'll try that solution tonight at the plant.

anoopkmr: I don't want traffic for the entire subnet to go through there, just a single IP's internet traffic: 192.168.11.245
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33467683
ohh sorry I didn't notice that, thanks for the correction
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question