[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Tunnel Internet Traffic over Cisco VPN Tunnel

Posted on 2010-08-18
4
Medium Priority
?
1,057 Views
Last Modified: 2012-05-10
I have several locations connected with IPSec VPNs and for a single IP at the location 3, I would like to tunnel all internet traffic through the IPSec VPN tunnel to location 1. I'm not sure what I need to change on the config for both locations. They both use Cisco 2811 routers.

Location 1 Private Addressing: 192.168.1.0/24
Location 1 Cisco 2811: 192.168.1.254
Location 2 Private Addressing: 192.168.8.0/24
Location 2 Cisco 2811: 192.168.8.254
Location 3 Private Addressing: 192.168.11.0/24
Location 3 Cisco 2811: 192.168.11.254

The Location 3 IP I want to route internet traffic through Location 1's internet is: 192.168.11.245


This is the config from location 3:

ip inspect name inspect-basic appfw inspect-basic
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic https
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic http java-list 51 urlfilter
!
appfw policy-name inspect-basic
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
password encryption aes
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 hash md5
 authentication pre-share
!
crypto isakmp policy 81
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <tunnel 1 shared key info>
crypto isakmp key <tunnel 2 shared key info>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map ra-dynmap-1 1
 set transform-set ESP-3DES-MD5
 reverse-route
!
!
crypto map corporate-vpn-map 1 ipsec-isakmp
 description <tunnel 1>
 set peer <tunnel 1 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 1>-vpn-acl
crypto map corporate-vpn-map 2 ipsec-isakmp
 description <tunnel 2>
 set peer <tunnel 2 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 2>-vpn-acl
!
!
!
interface FastEthernet0/0
 ip address <public ip> 255.255.255.248
 ip access-group acl-wan-in in
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map corporate-vpn-map
!
interface FastEthernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
!
!
ip http server
no ip http secure-server
ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-wan-in
 permit udp any host <public ip> eq non500-isakmp
 permit udp any host <public ip> eq isakmp
 permit esp any host <public ip>
 permit ahp any host <public ip>
 permit tcp any host <public ip> eq 4949
 deny   ip any any log
ip access-list extended <tunnel 1>-vpn-acl
 remark <tunnel 1> VPN rules
 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254
ip access-list extended block-vpn-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.250.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map block-vpn-on-nat permit 10
 match ip address block-vpn-acl

--------------------------------------------------------------------------------
The config in location 1's router is the same except the IPs are reversed. What commands do I need to add to both configs to make this work?
0
Comment
Question by:_valkyrie_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 2000 total points
ID: 33464247
Change

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


To

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.x 255.255.255.255 any
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


Where the ".x" is the IP you are tracking
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33464319
since u dont need to use the local internet at site 3 ; please note for ur requirement the whole traffic will go through the tunnel

at site 3

1) no ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload

2) int f0/0
    no ip nat outside
     int f0/1
    no ip nat inside

3) i hope below is the tunnel config for site 1
crypto map corporate-vpn-map 1 ipsec-isakmp

so type

ip access-list extended -vpn-acl
permit ip 192.168.11.0 0.0.0.255 any



at site 1 router

crypto acl for site1 has to be modified like this

ip access-list extended -vpn-acl
permit ip any 192.168.11.0 0.0.0.255


0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 33467599
bgoering: I'll try that solution tonight at the plant.

anoopkmr: I don't want traffic for the entire subnet to go through there, just a single IP's internet traffic: 192.168.11.245
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33467683
ohh sorry I didn't notice that, thanks for the correction
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question